www.csoonline.com  $9.00  May  2012 


CLEAR  SKIES 

Tools  for  peering 
into  computing  } 
clouds  PAGE  18 


CLASS  ACT 

Awareness 
training  that 
works  PAGE  30 


: i  nj"  .-t~  Notwa iwr.i- Lot'swMRmarter PlaneVSmarter  Planet 
.and  service  namealplight  be  trademarks  of .IBr^ljttfher  companies.  A  current  lisldfll 


lilSfJictions  worldwide.  Other  product 
iosine6s  Machines  Corporation  2011. 


Smarter  technology  for  a  Smarter  Planet: 

How  3.8  million  tailored  messages 
made  sales  numbers  look  fantastic,  too. 

Japanese  fashion  retailer  Start  Today  took  an  IBM  smarter  commerce  approach  to  their  business,  helping  increase 
annual  sales  on  their  Zozotown  Web  site  by  54.2%.  Their  customer-centric  focus  uses  Netezza®  and  Unica®  to  rapidly 
analyze  massive  amounts  of  data,  letting  them  create  personalized  messages  for  each  of  their  3.8  million  customers. 
Results?  The  solution  helped  increase  the  e-mail  open  rate  by  five  times  and  the  conversion  rate  by  nearly  1,000%. 
Smarter  commerce  is  built  on  smarter  software,  systems  and  services. 

Let’s  build  a  smarter  planet,  ibm.com/personalize 


Al  •■'"M-'J 

,4i '  ii  „  ,  v, , 

.  .  V*. 

I  I  |  j  | 


I  J  ■  •  ■  I  B  •  ■  ■  ■ 


■  '  ■  /  \\K  .  ■  ■  ■ 

•  i i  ;V*,7<y,P‘ '• 

!■  .  f  I,  . ;  :  ■  ,, 

.•■-i.'.!- 

’  :  ■  ■  tf  V-v' .  P 


lUtUiiitUU 


May  2012  Vol.  11,  No.  4 


► 


SPECIAL  FOCUS 

B  C  /  D  R 

22 

Starting 
Up  Without 
Starting  Over 

So  you’ve  been  asked  to  formal¬ 
ize  a  business  continuity  pro¬ 
gram.  Here  are  9  tips  from  the 
experts.  By  Lauren  Gibbons  Paul 

26 

Four  Trends 
in  Business 
Continuity 

How  BC/DR  is  helped  (and  hin¬ 
dered)  by  social,  mobile,  virtual¬ 
ization  and  cloud  ByBobViolino 


Also  Inside... 


2  From  the  Editor 


6  From  the  Publisher 


8  Join  the  Discussion 

CSOonline  readers  discuss 
banning  employees  from  the 
escalator;  new  risks  of  cloud 
vendors’  offshoring;  and  a 
sunny-side-up  security  report 


18  Before  Moving  to  Cloud, 
Think  It  Through 
Toolbox  Management  tools 
ease,  don’t  end,  cloud  security 
jitters  By  Robert  L.Scheier 

30  Ten  Commandments  for 
Effective  Security  Training 
Industry  View  Howto 
change  behaviors  and  make 
information  stick 
By  Joe  Ferrara 

32  Debriefing 

Age-appropriate 
child-monitoring  tools 
for  the  concerned  security  pro 


11 


Briefing 

What  the  Global  Payments 
Breach  Means  for  PCI  D5S 
Declaring  HacktivistOrgs 
Dead  Isas  Pointless  as 
Declaring  Technology  Dead 
U.5.  and  Canada  Major  Are 
Sources  of  Malware  Attacks 
Amazon  and  iTunes 
Scammers  Sentenced 
Symantec  Snaps  Up 
Mobile  Application 
Management  Provider 
Flashback  Malware 
Spreads  Quickly  Among 
Macs  Thanks  to  Unpatched 
Java  Vulnerability 
Wireless  Carrier 
Hopes  to  Allay  Users’ 
Privacy  Concerns 
How  to  Sneak  Into  a 
Security  Conference 


CSO  (ISSN  1 540*904 X)  is  published  monthly  except  for  acombined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.O.  Box9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham.  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.  Box  1632.  Windsor.  ON  N9A  7C9.  Copyright  2011  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearinginCSOis  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  useof  specific  clients  is  granted 
byCSOfor  usersthroughtheCopyrightdearanceCenter,providedthatafeeof$3.50percopyoftheartide  is  paid  directly  to  Copyright  Clearance  Center,  222  Rosewood  Drive,  Danvers,  M  A  01970.  www.copYright.com.  Please  specify: 
ISSN  1540*904x.  Permission  tophotocopydoesnotextendtocontributedartides-followed  by  this  symbol:  $.  Address  inquiriestoCSO,  P.O.  Box  3482,  Northbrook.  IL  60065:866  354*1125.  CSOis  free  to  qualified  security  executives. 
Toall  others  the  one-year  basic  rate  is  $70  for  the  United  States  and  Canada.  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  Thesingle  copy  price  is  $9  totheU.S.  and  Canada  and  $15  International.  Please  allow  four  to  six  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482.  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  illustration  by  Brian  Stauffer 


May  2012  www.csoonline.com  1 


[  FROM  THE  EDITOR] 


Disaster  Recovery  Is  Just  a 
Success  Waiting  to  Happen 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 


Security-the  topic,  and  thus  the  depart- 
ment-sometimes  gets  pigeonholed  as 
a  downer.  Maybe  from  time  to  time  you 
notice  a  coworker  avoiding  getting  in  the 
elevator  with  you.  A  CSO  once  told  me  it’s  even 
worse  when  you  get  in  the  elevator  and  some 
wiseacre  turns  to  put  his  hands  on  the  wall-as 
if  expecting  you  to  frisk  him. 

But  just  wait  until  you  start  talking  about 
disaster  recovery  too!  Then  nobody  will  even 
sit  at  your  lunch  table  anymore! 

Actually,  it’s  not  that  uncommon  for  busi¬ 
ness  continuity  and  disaster  recovery  (BC/DR) 
to  get  dropped  on  the  security  leader’s  desk. 

It  shouldn’t  be  a  bummer.  In  fact,  it’s 
probably  a  sign  that  you’re  doing  a  good 
job,  and-dare  we  hope-even  that  you  are 
regarded  as  a  business-minded  person  who 
will  build  a  program  with  real  business  objec¬ 
tives  in  mind. 

But  that  doesn’t  mean  it’s  easy  to  do. 

So  for  this  issue  of  CSO,  Lauren  Gibbons 
Paul  collects  advice  from  the  front  lines  on 
how  to  build  a  successful  business  continuity 
and  disaster  recovery  program. 

Paul  notes  that  BC/DR  is  its  own  well- 
developed  discipline,  both  related  to  and 
distinct  from  security  and  other  forms  of 
operational  risk  management. 

She  also  walks  you  through  quick  tips  on 
conducting  a  business  impact  analysis,  on  the 
necessity  of  top-level  ownership,  and  other 
key  practical  concepts. 


Then  Bob  Violino  examines  how  four  of 
today’s  technology  megatrends  (virtualization, 
cloud,  mobile  and  social)  should  be  incorpo¬ 
rated  into  your  BC/DR  planning  process.  For 
the  most  part,  these  four  trends  are  a  help 
rather  than  a  hindrance.  There  are  a  few 
wrinkles  that  you  should  know  about,  however. 


As  the  old  saw  goes,  forewarned  is  fore¬ 
armed.  These  articles  should  help  prepare  you 
for  constructive  and  fruitful  engagement  with 
business  continuity. 

There’s  really  no  reason  it  should  end  in 
disaster. 

-Derek  Slater,  dslater@cxo.com 


Colleen  Barry 

Editorial  Administrator 
Pat  Josefek 
Contributors 

Taylor  Armerding,  Lucian  Constantin, 
Sophie  Curtis,  Joe  Ferrara, 

Nancy  Gohring,  Ellen  Messmer, 
Lauren  Gibbons  Paul,  John  Ribeiro, 
Robert  L.  Scheier,  Bob  Violino 
DESIGN 

Executive  Director,  Art  and  Design 
Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


IDG  Enterprise 

An  IDG  Communications  Company  ^ 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 
Chief  Content  Officer 
John  Gallant 


2  www.csoonline.com 


May  2012 


Photo  by  Tim  Llewellyn 


COBIT© 

AN  ISAC A®  FRAMEWORK 


ANNOUNCING  COBIT®  5. 

Delivering  thought  leadership  and  guidance  from  business  and  IT  leaders  worldwide, 
COBIT  5  takes  the  guesswork  out  of  governing  and  managing  enterprise  IT. 

It’s  the  most  significant  evolution  in  the  framework’s  16-year  history.  COBIT  5  now 
provides  the  business  view  of  IT  governance,  reflecting  the  central  role  of  both 
information  and  technology  in  adding  enterprise  value.  It  also  integrates  other 
approaches,  such  as  ITIL”  practices  and  ISO  standards. 

IT  is  getting  more  complex  by  the  day.  Who  says  IT  governance  has  to? 

Take  advantage  of  the  only  business  framework  for  the  governance  and 
management  of  enterprise  IT— download  your  complimentary  copy  of  COBIT  5 
today  at  www.isaca.org/COBIT-CSO. 


COBI'P  is  a  registered  trademark  of  ISACA.  ITIL*  is  a  registered  trademark  of  the  Cabinet  Office. 
All  other  trademarks  and  company  names  mentioned  are  the  property  of  their  respective  owners. 


-fiSACA 

Trust  in.  and  value  from,  information  systems 


ADVERTORIAL 


Ajay  Jain 

PRESIDENT  AND  CEO 
QUANTUM  SECURE 

Ajay  is  responsible  for 
setting  the  company's 
vision  and  strategy  along 
with  managing  daily 
operations.  He  holds  an 
MBA  and  an  MS  degree 
in  computer  and  informa¬ 
tion  science.  Ajay  was  the 
founder  of  MarketFirst 
Software  and  Mokume 
Software,  both  of  which 
were  sold  to  large,  publicly 
traded  companies. 


FOR  MORE  INFORMATION: 

visit:  www.quantumsecure.com 


QUANTUM  SECURE 


cso 

Custom  Solutions  Group 


Convergence 

No  longer  a  dirty  word  for  IT  Security  Pros 


In  your  world,  why  has  convergence 
become  a  dirty  word? 

Convergence  means  different  things 
to  different  people.  In  telecom,  there  is 
convergence  of  multiple  communica¬ 
tions  services  into  a  single  network;  there 
is  convergence  of  computer  and  TV  to 
“computainment”  devices,  such  as  the 
iPad.  In  Quantum  Secure-speak,  we  are 
converging  the  identity  lifecycle  of  the 
logical  world  with  that  of  the  physical 
security  world.  Just  like  a  digital  identity 
gets  on-boarded  and  provisioned  access 
to  applications  —  or  changed  and  revoked 
access  due  to  certain  criteria  —  Quantum 
Secure  manages  the  same  lifecycle  in 
the  physical  security  world  across  dispa¬ 
rate  and  heterogeneous  physical  access 
systems,  biometric  systems,  geographies, 
etc.  Anything  that  goes  around  the  identity 
is  what  we  converge  in  physical  secu¬ 
rity,  including  risk  management,  access 
analytics,  behavior  patterns,  etc.  Quantum 
created  a  new  software  category  called 
Physical  Identity  and  Access  Management 
(PIAM)  to  emphasize  this  converged- 
identity  notion. 

What  opportunities  arise  when  you  think 
about  convergence  this  way? 

First,  it’s  smart  access  management,  where 
the  physical  security  systems  are  aware  of 
what  IT  systems  are  doing  with  an  identity 
and  vice-versa.  By  combining  the  physical 
and  logical,  one  can  enforce  location-based 
access. 

Another  example  is  co-termination, 
where  a  person  who  gets  terminated  in 
the  IT  world,  also  gets  simultaneously 
terminated  in  geographically  distributed, 
siloed,  physical-access  systems  to  elimi¬ 
nate  unwanted  intrusion.  This  keeps  the 
identity  lifecycle  in  sync.  Or,  if  a  person's 
role  changes,  then  Quantum’s  PIAM  will 
automatically  invoke  policies  to  reflect  the 
physical  access  changes  that  person  would 
have  to  bear  due  to  the  new  role. 


What  are  the  most  significant  challenges 
that  security  pros  face  when  trying  to 
piece  together  a  PIAM  implementation? 

The  biggest  problem  is  identity-related  data 
integrity  and  consistency  across  physical 
access  systems.  My  name  is  spelled  Ajay 
Jain  in  the  HQ  location,  but  in  London, 
it’s  A.  Jain,  and  in  China  its  A.  J.  Similarly 
the  access  profiles  and  entitlements  are 
different,  with  many  added  manually  over 
time  without  any  policies  and  rules.  Then 
there  are  ghost  accounts  —  terminated 
employees  and  contractors  who  are  still 
active  in  the  physical  access  systems. 

Another  problem  is  defining  a  single 
source  of  authoritative  identities.  You  can 
restrict  employees  and  certain  contractors 
on  the  IT  side,  but  on  the  physical  side  you 
have  vendors,  contractors,  repair  people 
and  visitors  as  well.  With  PIAM,  business 
process  reengineering  provides  immediate 
and  sustainable  benefits. 

A  single,  global-process-management 
and  governance  layer  that  stitches  all  sites 
together  into  a  single  operational  policy 
framework,  yet  gives  autonomy  to  the 
individual  regions  for  access  management 
is  a  dramatic  selling  point.  It’s  the 
reduction  in  corporate  risk  and  audit/ 
compliance  anomalies. 

What  should  security  pros  consider? 

Security  pros  should  help  bring  physical 
security  into  the  21st-century,  where  more 
than  $  120  billion  is  spent  every  year  on 
obsolete  tools,  archaic  systems  and  manual 
labor.  Audit  and  compliance  challenges  are 
rarely  handled  well.  Corporate  executives 
often  don’t  see  the  gaping  holes  or  security 
problems  in  this  industry. 

PIAM  delivers  dramatic  efficiencies  and 
operational  cost  reductions.  Many  Global 
2000  customers  have  internal  directives 
to  address  PIAM,  usually  driven  by  audit, 
compliance  and  cost-reduction  initiatives. 
Still,  security  pros  must  educate  and 
evangelize  on  PIAM  benefits.  ■ 


Do  you  know  your  physical  security 

access  infrastructure  may  be  open 
to  insider  and  outsider  threats? 


Take  Control  of  your  Physical  Security 
Infrastructure  with  SAFE  Solutions 

Our  SAFE  Software  Suite  is  a  Physical  Identity  and  Access 
Management  System  that  enables  a  global  approach  to  automate 
and  streamline  your  Physical  Security  Infrastructure.  With  SAFE 
Solutions  from  Quantum  Secure,  automate  and  streamline 
physical  access  management,  gain  visibility  and  take  control  of 
on/off  boarding  processes  across  global  facilities,  and  closely 
manage  restricted  areas  to  ensure  compliance  and  reduce 
corporate  risks. 

SAFE  delivers  attestation  reports  for  compliance  to  regulations 
such  as  SOX,  NERC,  PCI,  HIPAA  and  more.  SAFE  also  performs 
insider  risk  assessment  with  facility  access  analytics,  and  will 
operate  with  disparate  physical  access  (PACS)  and  HR  systems. 
The  SAFE  Software  Suite  is  designed  to  create  unprecedented 
efficiencies  and  lower  all  physical  access  related  risks. 


SAFE  is  ideal  for: 

>  Government 

>  Airports  and  Ports 

>  Telecom 

>  Energy  and  Utilities 

>  Healthcare,  Pharmaceuticals 

>  High  Technology 

>  Financial 

>  Higher  Education 

>  Transportation 


©  2012  Quantum  Secure.  Incorporated.  All  rights  reserved. 


>  quantumsecure.com 


[  FROM  THE  PUBLISHER  ] 


The  Risks  Right  in 

I  think  many  of  us  share  a  commonality  when 
it  comes  to  government.  Federal,  state, 
county,  and  local-we  all  like  to  rail  against 
the  inadequacies  or  ineffectiveness  of  the 
government. 

Governments  are  very  good  at  some  things 
(like  spending  our  money),  but  there’s  room 
for  improvement  with  others  (like  information 
sharing).  But  lo  and  behold,  every  now  and 
then  we  find  a  success  story  where  we  least 
expect  one.  And  sometimes  there  are  broader 
lessons  that  can  be  learned  from  those  occa¬ 
sional  successes. 

In  the  past,  I  have  written  about  the 
importance  of  documenting  immigration 
status.  My  experience  has  been  that  the  United 
States  is  one  of  the  worst  nations  at  doing  this 
despite  the  costs  and  risks  associated  with 
not  doing  so.  But  for  the  past  seven  years,  the 
federal  government  has  had  a  requirement 
that  individual  states  verify  the  immigration 
status  of  anyone  applying  for  a  driver’s  license 
or  government-issued  identification. 

The  REAL  ID  Act  is  actually  a  pretty  decent 
piece  of  legislation,  and  the  government  has 
even  backed  up  the  requirement  by  providing 
access  to  a  centralized  database  that  contains 
more  than  100  million  immigration-related 
documents,  called  SAVE.  The  Department 
of  Homeland  Security  administers  this  data¬ 
base  and,  by  all  accounts,  does  a  pretty  decent 
job  of  it. 

But  as  is  often  the  case,  no  good  deed  goes 
unpunished.  As  of  my  writing  this  piece,  five 
states  have  refused  to  comply  with  REAL  ID, 
including  my  home  state  of  Massachusetts. 

Most  of  these  states  decline  to  give  any  specific 
reasons  as  to  why  they  refuse  to  implement 
the  REAL  ID  law,  but  those  that  can  be  guessed 
at  appear  to  be  political. 

I  bring  up  this  whole  issue  so  that  I  can  tie 


Front  of  You 

it  back  to  what  I  see  over  and  over  again  in 
security  organizations:  a  failure  to  take  advan¬ 
tage  of  readily  available  information  that 
would  help  mitigate  the  threats  we  see  every 
day.  We  see  our  partners  being  breached  but 
continue  to  believe  that  it  will  never  happen  to 
us.  We  know  that  the  public  cloud  can  be  risky 
but  we  ignore  those  risks  and  fail  to  take  steps 
to  mitigate  them  (even  when  solutions  are 
readily  available).  We  cannot  continue  to  turn 
a  blind  eye  on  every  risk  out  there. 

At  some  point,  reality  will  kick  in.  When  we 
fail  to  enforce  security  policies  on  our  part¬ 
ners,  despite  seeing  other  companies  suffer 


data  losses  in  similar  circumstances,  we  pay 
the  price  when  we  are  attacked  by  cybercrimi¬ 
nals.  And  when  the  T5A  refuses  to  let  me  board 
an  airplane  come  January  because  my  Massa¬ 
chusetts  ID  doesn’t  provide  an  adequate  level 
of  security,  you’ll  be  able  to  hear  my  screams 
all  the  way  to  California. 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 

ASSA  ABLOY . 31 

Box . 25 

Executive  Women’s  Forum . 21 

Hewlett-Packard  Development  Co.,  LP . C3 

IBM  Corp . C2 


ISACA . 3 

LogRhythm . 13, 15, 17 

Quantum  Secure  Inc . 4 

Quest  Software  Inc . C4 

RSA,  the  Security  Division  of  EMC . 10 

Verisign  Inc . 7 


Group  Publisher  Bob  Melk 
Publisher  Bob  Bragdon 
Senior  National  Sales  Manager 
Per  Melker 

East  Coast  Regional  Director, 
Integrated  Sales 
Roz  Burke 
Account  Director, 
Integrated  Sales  West 
Mary  Hazelton 
Sales  Associate 
Sarah  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  GM,  Online  Operations 
Gregg  Pinsky 
SVP,  Online  Sales 

Brian  Glynn 

East  Coast  Online  Regional 
Sales  Manager 
Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager 
Erika  Karr 

Central  Online  Regional 
Sales  Manager 

Stacy  Bryne 

Director,  Online  Account  Services 

Danielle  Tetreault 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 

Brett  Ferry,  Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 

Ellen  Daly 

Sr.  Director,  Event  Operations 

Deb  Begreen 

VP,  Content  Development  &  Events 

Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 
Sue  Yanovitch 
Marketing  &  PR  Manager 

Lynn  Holmlund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  508  820-8106  or 
stozeski@idglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460,  ext.  100, 
cso@theygsgroup.com 


6  www.csoonline.com  May  2012 


Photo  by  Christopher  Navin 


Rick  Howard 

VICE  PRESIDENT  AND 
GENERAL  MANAGER, 

VERISIGN  IDEFENSE  SECURITY 
INTELLIGENCE  SERVICES 

Rick  spent  the  last  five 
years  working  as  the 
iDefense  intelligence 
director  and  is  now  vice 
president  and  general 
manager  of  the  business. 
Prior  to  joining  iDefense, 
Rick  led  the  intelligence¬ 
gathering  activities  at 
Counterpane  Internet 
Security  and  ran  the  U.S. 
Army  Computer  Emergency 
Response  Team  (CERT). 


FOR  MORE  INFORMATION 

download  this  free  report, 
“Establishing  a  Cyber 
Intelligence  Capability”  at 

WWW.VERISIGNINC.COM/ 

CSO 


O 

VERISIGN 

CSO 

Custom  Solutions  Group 


BEWARE  THE  INTELLIGENCE- 
DRIVEN  SECURITY  OPERATION 
FED  BY  POOR  INTELLIGENCE 


There  is  a  growing  consensus  within  the 
information  security  community  around  the 
benefits  of  establishing  “intelligence-driven” 
security  operations.  A  growing  number  of 
organizations  are  moving  in  this  direction, 
based  on  the  combination  of  increasingly 
network-centric  operations,  and  the 
complexity  of  today’s  cyber  threats.  Without 
question,  integrating  intelligence  into  your 
security  operations  is  beneficial,  provided 
you  are  following  a  few  core  principles,  one 
of  which  is  working  with  accurate,  deep  and 
relevant  intelligence. 

THE  REALITY  OF  THE 
CYBER  THREAT  RACE 

It  is  no  longer  possible  to  fully  prevent 
every  potential  cyber  attack.  The  threat 
landscape  is  too  vast  and  fast-moving, 
and  enterprise  IT  environments  are  too 
diverse  and  dynamic.  A  more  realistic 
goal  for  threat  management  is  to  combine 
advanced  intelligence  into  an  operation 
that  prioritizes  threats  and  preventive 
measures,  combined  with  a  solid  plan 
for  incident  response.  Verisign  iDefense 
focuses  on  three  elements  of  cyber 
security  intelligence  to  ensure  integration 
will  help  improve  security  operations: 
avoiding  information  overload,  following 
the  full  lifecycle  of  a  threat  and  evaluating 
the  accuracy  of  intelligence. 

AVOIDING  INFORMATION 
OVERLOAD  THROUGH  A  FOCUS 
ON  RELEVANCE 

In  a  world  where  the  threat  landscape 
is  constantly  changing,  information 
about  cyber  threats  and  vulnerabilities 
is  plentiful  and  inexpensive.  But  for 
corporate  organizations  that  make 
strategic  and  tactical  decisions,  a  simple 
information  feed  frequently  isn’t  enough. 
Too  often,  information  lacking  context 
and  relevance  overwhelms  decision 
makers,  complicating  decision  making. 

For  organizations  to  better  understand  the 
security  threats  their  adversaries  pose, 


and  their  methodsof  attack,  they  need  to 
establish  their  own  intelligence  capabilities 
to  methodically  collate  the  data  into 
information  and  turn  that  information  into 
actionable  intelligence. 

FOLLOW  THE  THREAT  LIFECYCLE 

The  loudest  chatter  about  high-visibility 
threats  and  vulnerabilities  often  coincides 
with  vendor  disclosure.  This  discussion 
often  results  in  urgent  activity  to  patch 
the  vulnerability,  but  some  organizations 
mistakenly  assume  that  the  patch  will 
protect  their  businesses  from  that  same 
threat  indefinitely.  The  truth  is  that  threats 
have  lifecycles  and  are  constantly  evolving. 
A  timeline  for  the  lifecycle  of  individual 
threats  or  vulnerabilities  can  sometimes  be 
measured  in  years.  Constant  monitoring 
and  updating  is  necessary  for  complete 
coverage. 

FREE  INTELLIGENCE  IS  NICE,  BUT 
ACCURACY  MATTERS 

For  years,  security  teams  have  gathered 
cyber  threat  intelligence  from  a  variety 
of  sources.  “Free”  intelligence  is  plentiful, 
primarily  in  unstructured  data  feeds, 
but  also  in  newsgroups  and  larger 
solutions  from  vendors  with  proprietary 
offers.  Organizations  running  complex 
environments  or  protecting  sensitive 
information  require  accurate  intelligence 
that  comes  as  a  result  of  a  thorough 
validation  of  threats  and  vulnerabilities. 

Intelligence  is  not  simply  a  data  feed, 
nor  is  it  purely  information.  The  heart 
of  intelligence  is  an  assessment  that 
transforms  raw  information  into  a  tool 
for  more  informed  decision  making. 
Organizations  establishing  an  intelligence 
capability  are  moving  in  the  right  direction 
for  maturing  their  security  operations,  but 
need  to  give  careful  consideration  to  their 
sources,  and  how  the  depth  of  analysis 
from  those  sources  should  impact  their 
use  of  the  intelligence. 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonhne.com 


BLOG  POST 

Don’t  Ban  Employees  from 
the  Escalator,  Give  Them 
Reasons  to  Choose  the  Stairs 


If  you  had  to  go  up  one  level  in  a  train 
station,  would  you  take  the  stairs 
or  use  the  escalator?  Most  people 
would  choose  the  escalator.  But 
what  if  the  staircase  played  musical 
notes  like  an  interactive  piano?  That  might 
change  things,  right? 

A  couple  years  ago,  Volkswagen  began 
sponsoring  an  initiative  called  The  Fun 
Theory  that  tested  the  degree  to  which  it 
could  change  people’s  behavior  for  the  bet¬ 
ter  by  introducing  an  element  of  fun.  In  one 
example,  the  company  found  that  by  add¬ 
ing  a  unique  element  to  the  stairs— trans¬ 
forming  them  into  an  interactive  piano— it 
was  able  to  increase  staircase  use  by  66 


percent.  You  can  watch  the  short  video  at 
www.thefuntheory.com/piano-staircase. 

You  can  apply  this  same  principle  to 
your  training  and  awareness  programs— 
find  your  own  piano  staircase,  and  use 
it  to  begin  guiding  people  to  choose  the 
right  thing  on  their  own.  Forrester  has 
been  working  on  a  report  that  stresses  the 
importance  of  organizational  culture  in  the 
development  of  risk  and  compliance  pro¬ 
grams.  Throughout  the  research  process, 
we  asked  risk  and  compliance  profession¬ 
als  and  vendors  the  same  question:  “How 
are  you  influencing  and  promoting  posi¬ 
tive  behavior?” 

You  can  create  new  technical  controls 
and  policies,  and  you  can  require  employ¬ 
ees  to  sign  attestations  all  day,  but  these 
efforts  have  minimal  value  (or  worse) 
when  there’s  no  positive  reinforcement. 
When  compliance  and  risk  management 
are  considered  obligatory  tasks,  rather 
than  meaningful  efforts  that  the  company 
values,  it  diminishes  the  perceived  impor¬ 
tance  of  ethical  behavior. 

Instead,  engage  employees  using  differ¬ 
ent  multimedia  channels,  and  maybe  even 
add  in  touches  of  humor  and  fun. 

This  may  involve  inserting  humor 
into  your  newsletters  or  incorporating 
gamification  techniques  into  your  training 
programs,  but  it  could  also  mean  commu¬ 
nicating  your  message  in  straightforward 


language  that  explains  why  certain  rules 
are  important  and  developing  incentives 
to  encourage  the  appropriate  behavior. 
Ultimately,  what  Forrester  recommends  is 
that  you  work  to  shape  your  training  and 
awareness  program  to  reflect  the  charac¬ 
teristics  your  company  values.  Whether 
your  company’s  culture  is  more  hierarchi¬ 
cal  or  fosters  a  more  collaborative  tone,  use 
the  techniques  that  fit  your  organization 
best  and  run  with  them. 

For  a  more  comprehensive  look  at  this 
topic,  keep  a  look  for  Forrester’s  report 
“Drive  Change  Management  for  Gover¬ 
nance,  Risk,  and  Compliance:  Best  Prac¬ 
tices  for  Establishing  a  Culture  of  Risk 
Management  and  Compliance.” 

And  as  always,  we’d  love  to  hear  your 
take.  —Nick  Hayes,  Forrester 

BLOG  POST 

New  Risks  of 
Cloud  Vendors’ 
Offshoring 

This  week  a  note  of  caution 
regarding  an  unusual  trend 
in  some  cloud  agreements.  In 
several  recent  transactions,  I 
have  seen  provisions  that  put 
the  customer  on  notice  that  the  provider 
has  one  or  more  offshore  affiliates  who  may 
assist  in  accomplishing  the  tasks  the  vendor 
is  being  asked  to  perform. 

This,  in  and  of  itself,  is  not  unusual. 
What  is  unusual  is  that  in  these  transac¬ 
tions,  the  provider  has  taken  the  position 
that  (i)  it  cannot  tell  which  of  its  affiliates 


8  www.csoonline.com  May  2012 


Image  courtesy  of  Electrobeans 


mmim 

'fh  PjOfn/Phor ■  ?/Poioinnn?P9tOlnl9lOh 


will  be  involved,  (ii)  it  cannot  provide  a 
definitive  list  of  the  relevant  jurisdictions 
involved,  and  (iii)  even  though  the  use  of 
the  affiliates  is  for  the  convenience  of  the 
provider,  compliance  with  all  applicable 
laws  regarding  cross-border  transfers  of 
personal  data,  including  local  laws  in  the 
relevant  jurisdictions,  is  the  responsibil¬ 
ity  of  the  customer.  It  is  this  last  item  that 
causes  the  most  concern. 

The  customer  has  no  control  over  where 
its  data  will  be  sent,  how  often  it  will  be 
moved,  or  even  which  specific  jurisdic¬ 
tions  will  be  involved.  Yet  the  customer  is 
somehow  meant  to  assume  the  obligation 
of  ensuring  compliance  with  the  myriad 
potentially  applicable  privacy  and  con¬ 
sumer-protection  laws  everywhere  in  the 
world,  which  can  include  adjusting  its  pri¬ 
vacy  policy  and  obtaining  consents  from 
consumers. 

I  suggest  that  is  a  tall  order,  perhaps 
impossible,  and  one  no  cloud  customer 
should  be  forced  to  undertake. 

In  one  of  such  problematic  transaction, 
the  vendor  was  asked  if  the  customer  could 
encrypt  its  data  so  as  to  minimize  the  secu¬ 
rity  and  compliance  issues  presented  by 
this  type  of  undefined  offshoring.  The  ven¬ 
dor  said  that  the  customer  could  encrypt  its 
data,  but  in  at  least  some  jurisdictions  (e.g., 
China),  the  customer  would  have  to  supply 
the  decryption  key,  rendering  the  protec¬ 
tion  illusory. 

These  developments  point  to  the  need 
for  customers  to  push  back  and  push  back 
hard  on  unrealistic  and  unreasonable  pro¬ 
visions  in  cloud  agreements.  It  also  shows 


that  vendors  need  to  take  a  reality  check  on 
what  they  are  requiring  from  their  “valued” 
customers  in  their  contracts. 

— Michael  Overly 

BLOG  POST 

A  Sunny-Side-Up 
Security  Report? 

As  skeptical  as  I  am  about 
vendor-based  reports  and 
all  the  ways  a  message 
can  be  skewed,  I’m  going 
to  mention  a  new  IBM 
X-Force  report  here  because  it  does  some¬ 
thing  really  strange  in  this  day  and  age: 
It  reports  good  news  instead  of  the  usual 
“things  are  worse  than  last  year.” 

According  to  the  “2011  X-Force  Trend 
and  Risk  Report,”  application  security 
vulnerabilities  are  down,  as  is  the  volume 
of  exploit  code  and  spam.  As  a  result,  the 
report  suggests,  the  bad  guys  are  being 
made  to  rethink  their  tactics  and  so  they 
are  targeting  more  niche  IT  loopholes  and 
emerging  technologies,  such  as  social  net¬ 
works  and  mobile  devices. 

Among  the  observations: 

■  Attacks  targeting  shell  command 
injection  vulnerabilities  became  two 
to  three  times  more  common,  but 
the  number  of  SQL  injection  vulner¬ 
abilities  in  publicly  maintained  Web 
applications  dropped  by  46  percent 
this  year. 

■  There  was  a  spike  in  automated 
password  guessing  based  on  poor 
passwords  and  password  policies, 
directed  at  secure  shell  servers  in  the 
later  half  of  2011. 

■  There  was  a  rise  in  phishing  attacks 
that  impersonate  social  networking 
sites  and  parcel  services  to  entice 
victims  to  click  on  links  to  Web  pages 
that  may  try  to  infect  their  PCs  with 
malware. 

■  The  number  of  exploits  publicly 
released  that  can  be  used  to  target 
mobile  devices  increased  by  19  percent. 
These  exploits  are  more  frequently 
targeting  enterprise  information  made 
accessible  thanks  to  the  bring-your- 
own-device,  or  BYOD,  trend. 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.C50online.com. 

Derek  Slater,  Editor  in  Chief 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
Email:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS 
Group,  800  290-5460,  ext. 

129,  cso@theygsgroup.com. 


All  that  said,  there  still  appears  to  be 
more  bad  news  than  good.  Social  network¬ 
ing  may  be  an  emerging  trend  in  the  grand 
scheme  of  the  universe,  but  attacks  against 
it  are  hugely  successful  these  days.  The  rea¬ 
son  is  that  the  attacks  are  all  about  social 
engineering.  How  can  you  lose  when  there 
are  always  gullible  users  out  there? 

As  I  said,  these  reports  can  be  skewed  in 
a  dozen  ways. 

But  I  do  want  to  take  this  moment  to 
give  IBM  credit  for  delivering  this  report 
sunny-side  up.  Given  how  often  security 
vendors  go  to  the  opposite  extreme  to  scare 
us  into  buying  things,  it  was  nice  to  see. 

—Bill  Brenner 


May  2012  www.csoonline.com  9 


ADVERTISEMENT 


MARKET 


PULSE 


With  the  pace  of  change  overwhelming  security  efforts, 
how  can  IT  take  control? 


in  today's  world,  the  IT  profession's  marching  orders  seem 
like  a  contradiction  in  terms:  give  employees,  partners, 
and  customers  access  to  what  they  need  when  they  need 
it,  keep  it  secure,  and  do  it  at  a  lower  cost  than  last  year. 

A  recent  IDG  Research  survey  substantiates  these  pain 
points  (see  chart:  Top  Security  Challenges  Over  the  Next 
12  Months)  —  and  the  problem  is  getting  bigger. 

To  better  deal  with  growing  complications,  companies 
must  move  beyond  a  narrow  view  of  security  toward  one 
that  integrates  it  with  compliance,  risk  management,  and 
even  corporate  governance.  Staffing  an  IT  department  to 
tackle  this  holistic  perspective  may  be  daunting,  but  there 
are  options  available  that  keep  companies  safe. 

When  respondents  were  asked  about  confidence  in  their  IT 
security  organizations'  abilities,  only  about  half  rated  their 
IT  security  organizations  as  excellent  or  good  at  maintain¬ 
ing  real-time  awareness  of  the  changing  threat  landscape, 
or  correlating  real-time  security  events  to  industry  and 
government  compliance  policy.  This  low  figure  makes  it 
clear  that  mitigating  the  new  landscape  of  security  risk  will 
require  new  strategies  for  success. 

Security  is  more  complex  than  ever  before.  Executives  find 
themselves  saddled  with  a  mixture  of  point  solutions,  each 
targeting  a  specific  area  of  security.  More  often  than  not, 
these  solutions  can't  easily  exchange  information— and 


Top  Security  Challenges  Over  the  Next  12  Months 

Mobile  clients  and  unmanaged  devices  57% 


even  if  they  do,  it's  impossible  to  cogently  analyze  what 
their  reports  mean  in  aggregate. 

Most  companies'  security  efforts  fall  into  the  second  of 
the  four  layers:  technology  point  solutions.  Companies 
functioning  across  layers  one  and  two  are  more  proactive. 
Situational  awareness  sits  at  a  third  layer,  providing  a  level 
of  event  correlation  that  is  increasingly  crucial.  Companies 
that  strive  for  integration  across  three  of  the  four  layers 
can  develop  a  holistic,  overarching  view  of  what's  going  on 
both  within  their  network  and  on  its  perimeter. 

The  New  Security  Universe 

increasingly,  to  address  these  new  security  issues, 
forward-thinking  IT  departments  are  moving  toward  out¬ 
sourcing  security  to  dedicated  managed  security  service 
providers  (MSSPs),  such  as  CSC.  MSSPs  deal  with  multiple 
companies'  security  challenges,  so  they  have  a  broader 
perspective  of  security  issues.  And  because  they  focus 
only  on  security,  MSSPs  have  the  expertise  to  handle  not 
just  the  minutiae  (patch  and  virus  updates),  but  also  new 
technologies  and  regulations  affecting  client  situations 
at  the  enterprise  level.  MSSPs  bring  specialized  skills  and 
experience  to  bear  that  any  one  company  may  not  be  able 
to  find— or  afford— among  security  professionals. 

That  experience  means  MSSPs  can  also  more  easily  offer 
a  holistic  perspective  of  governance,  risk  and  compli¬ 
ance,  along  with  security.  By  solving  basic  problems  and 
addressing  larger  challenges,  MSSPs  can  help  companies 
level  out  their  operating  expenses,  saving  them  money 
and  time. 


Controlling  IT  security  costs 

Increasing  sophistication  of  attacks  (e.g.,  APTs) 

Increasing  complexity  of  security  solutions 


Working  with  an  MSSP,  companies  can  ensure  the  safety 
38%  of  intellectual  property,  reduce  operational  costs,  and  bring 
much-needed  peace  of  mind. 


Complying  with  government  security  and  privacy  regulations  37% 

Controlling  access  to  end  user  data  34% 

Lack  of  IT  security  experts/necessary  skill  sets  within  company  32% 
Securing  virtual  environments  31% 

Complexity  of  managing  a  broad  portfolio  of  security  tools/solutions  27% 


For  more  information  on  CSC's  security  stack,  visit  http:// 
www.csc.com/cybersecurity/insights/53094-the_ 
security  stack  a_white  paper.  For  more  more  insights 
and  features  on  security  from  RSA,  visit  http://www.emc.com/ 
emc-plus/rsa-thought-leadership/index.htm.  Download  the 
white  paper  at  www.csoonline.com/whitepapers/rsa 


Difficulty  of  securing  cloud-based  data 
Always-on  environment 

integrating  third-party  vendor  software  into  your  environment 


22% 

37% 

34% 


cso 

Custom  Solutions  Group 


SOURCE:  IDG  RESEARCH  SURVEY  FOR  CSO:  APPROACHES  TO  IT  SECURITY  AND  MAINTAINING  SITUATIONAL  AWARENESS 


“Having six  out  of  10  malicious  sites  on  compromised  hosts  is 
unacceptable  to  a  society  that  is  moving  to  the  cloud.  ”  page  13 


Edited  by  Bill  Brenner 


What  the  Global  Payments  Breach  Means  for  PCI  DSS 


The  theft  of  1.5  million  card 
numbers  highlights  strengths  and 
weaknesses  of  security  standards 

The  latest  data  security  breach  to  strike 
a  processor  used  by  MasterCard  and 
VISA  has  security  experts  focusing  anew 
on  the  good  and  bad  of  PCI  DSS.  On  one 
hand,  the  standard  offers  a  clear  blueprint 
for  how  to  handle  such  a  breach.  On  the 
other  hand,  compliance  is  usually  not 
the  cure,  as  this  latest  incident 
demonstrates.  TK 


“While  the  scope  and  details 
of  the  attack  are  not  yet  known, 
it  shows,  three  years  after  the 
Heartland  Payment  Systems 
breach  of  130  million  credit  card 
numbers,  that  credit  card  data  is  still  vul¬ 
nerable,”  says  Neil  Roiter,  research  director  at 
Corero  Network  Security.  “The  Payment  Card 


Industry  Data  Security  Standard  [PCI  DSS] 
is  highly  prescriptive  in  nature,  but  simply 
complying  does  not  ensure  credit  card  security. 
Companies  that  rely  on  PCI  DSS  to  solely 
dictate  their  security  measures  will  continue 
to  remain  vulnerable  to  attack.” 

Visa  and  MasterCard  are  alerting  banks 
across  the  country  about  a  recent  major 
breach  that  could  involve  more  than  10  million 
compromised  card  numbers,  according  to 
experts  outside  Global  Payments.  The 

company  itself  says  only  1.5  mil¬ 
lion  cards  were  affected. 

Global  Payments  believes 
the  affected  portion  of  its 
processing  system  is  confined  to 
North  America,  and  that  Track  2 
card  data  may  have  been  stolen. 

Track  2  is  a  format,  developed  by  the 
American  Bankers  Association,  for  storing 
credit  card  data-including  the  account  num¬ 


ber,  expiration  date  of  card,  and  sometimes 
discretionary  data-on  the  magnetic  card 
stripe  of  a  card.  Track  1  stores  the  user’s  per¬ 
sonal  information,  such  as  cardholder  names, 
addresses  and  social  security  numbers.  This 
information  was  not  obtained  by  the  hackers, 
Global  Payments  says.  “Based  on  the  forensic 
analysis  to  date,  network  monitoring  and 
additional  security  measures,  the  company 
believes  that  this  incident  is  contained,"  it  says. 

Ted  Julian,  chief  marketing  officer  of 
Co3  Systems,  a  data-loss-management  firm, 
estimates  the  liability  for  a  merchant  with  1 
million  cards  compromised  could  top  $1.6  mil¬ 
lion  in  compliance  fines  alone. 

Security  journalist  Brian  Krebs,  who 
broke  the  story  March  31,  says  that  the  two 
credit  card  firms  issued  non-public  alerts  to 
banks  detailing  specific  cards  that  may  have 
been  compromised  in  a  breach  of  the  so-far 

(continued  on  next  page) 


Photo  by  Wikimedia 


May  2012  www.csoonline.com  li 


>>  BRIEFING 


(continued  from  previous  page) 
unnamed  processor  between  Jan.  21  and  Feb. 
25  of  this  year.  Krebs  says  the  fraudulent  card 
use,  "seemed  to  be  tied  to  gang  activity  in 
New  York  City,  but  I  haven’t  heard  that  from 
more  than  one  source.” 

In  the  grand  scheme  of  credit  card 
breaches,  this  one  does  not  come  close  to 
topping  the  list-the  Heartland  Payment 
Systems  breach  in  late  2008  involved  more 
than  130  million  credit  and  debit  cards  and 
about  175,000  merchants.  But  it  illustrates 
once  again  how  vulnerable  such  systems  are 
to  attack. 

Julian  says  retailers  affected  by  the  recent 
breach  have  to  move  quickly  to  comply  with 


PCI  DSS  standards,  to  “notify  consumers  and 
brands  in  a  timely  fashion.  Forty-six  states 
have  laws  on  the  books  [requiring  companies] 
to  notify  consumers  if  credit  card  information 
was  put  in  harm’s  way.  So  they’re  scrambling 
to  find  out  if  they  were  compromised,  and 
then  they  have  to  adapt  it  to  the  state  matrix.” 

In  an  assessment  model  he  created, 
Julian’s  list  of  “minimum  recommended 
actions”  includes  notifying  one  trade  orga¬ 
nization,  five  state  attorneys  general,  and 
900,000  consumers  in  nine  states,  telling 
the  credit  agency  of  600,000  exposures  in 
six  states,  notifying  local  media  in  two  states, 
providing  other  general  notification  and 
notifying  five  special  offices  in  three  states. 


Merchants  can  minimize  or  even  eliminate 
those  fines  by  complying  with  the  laws,  he 
says,  but  if  they  don’t,  “they  can  really  add  up. 
In  the  [2005]  ChoicePoint  breach,  $15  million 
of  their  $41  million  in  costs  were  from  fines. 
And  with  the  changes  in  the  law  since  then, 
the  fines  would  be  much  more  today. 

For  consumers,  Krebs  says  it  doesn’t 
make  sense  to  demand  a  new  card,  but 
recommends  simply  monitoring  card  activity 
online  for  any  suspicious  transactions.  “Con¬ 
sumers  are  not  on  the  hook  for  fraud  charges, 
provided  they  report  unauthorized  activity. 
Having  to  deal  with  a  new  card  can  be  disrup¬ 
tive  and  time-consuming,"  Krebs  says. 

-7a  ylorArmerding  and  John  Ribeiro 


SALTED  HASH 


Declaring  Hacktivist  Orgs  Dead  Is  as 
Pointless  as  Declaring  Technology  Dead 


THE  SECURITY  community  and  those 
who  cover  it— myself  included— have 
some  really  macabre  death-watch  games 
we  like  to  play.  We  salivate  over  the 
prospect  of  someone  declaring  technol¬ 
ogies  dead:  intrusion-detection  systems 
(IDS),  pen  testing,  security  information 
and  event  management  (SIEM). 

Usually,  these  rumors  are  started  by 
vendors  who  are  competing  against  the 
technologies  they’re  declaring  dead. 

When  Fortify  co-founder  and  chief 
scientist  Brian  Chess  predicted  that  pen 
testing  would  be  dead  in  2009,  he  was 
speaking  as  someone  who  believed  his 
company’s  products  would  render  pen 
testing  obsolete.  It’s  2012,  and  pen  test¬ 
ing  is  alive  and  well.  An  earlier  predic¬ 
tion  that  IDS  would  soon  die  hasn’t  come 
to  pass  either. 

Last  year,  elQnetworks  did  more  of 
the  same  when  it  predicted  the  death  of 
SIEM.  The  vendor  considers  its  Secure- 
Vue  platform  superior  to  SIEM— the 
next  step  in  the  evolution  of  security 
technology.  Fewer  SIEM  users  means 
more  potential  customers  for  them. 

I  don’t  fault  them 
for  wanting  it  to  be 
this  way.  But  wishing 
something  dead 
rarely  makes  it  so. 

I  think  there’s  a 
connection  between  the 


technology  death  watch  and  the  way  that 
hacktivism  is  covered  today. 

On  CSOonline.com,  I  reposted  an 
article,  orignally  from  one  of  our  sister 
sites,  called  “Reborn  LulzSec  claims 
hack  of  dating  site  for  military  person¬ 
nel.”  It  began: 

“A  group  of  hackers  claiming  to  be 
the  reborn  Lulz  Security  (LulzSec) 
took  credit  for  an  alleged  compromise 
of  MilitarySingles.com, 
a  dating  website  for 
military  personnel,  and 
the  leak  of  over  160,000 
account  details  from  its 
database.” 

The  “reborn”  part 


caught  my  eye.  To  be  fair,  in  this  case 
the  attackers  are  calling  themselves  that. 
But  I  think  we  in  the  media  are  in  danger 
of  getting  trapped  in  a  game  of  dead-or- 
alive  when  it  comes  to  LulzSec. 

Back  in  late  June,  we  had  headlines 
loudly  reporting  the  retirement  of 
LulzSec  after  its  initial  rampage,  which 
included  attacks  on  the  CIA,  the  Senate, 
PBS  and  Sony.  At  the  time,  I  expressed 
skepticism  in  a  post  called  “Whatever, 
LulzSec,”  in  which  I  wrote  that  “this 
stupid  saga”  was  far  from  over.  Sure 
enough,  we  now  have  the  “reborn” 
LulzSec. 

This  is  my  word  of  caution  to  fellow 
journalists,  analysts  and  commenta¬ 
tors:  We  run  a  risk  by  launching  a  new 
death-watch  game  with  equally  fruitless 
predictions.  We  shouldn’t  get  too  caught 
up  in  the  life  and  death  of  these  groups. 

They  will  always  go  on  extended  ram¬ 
pages,  quiet  down,  and  then  ramp  back 
up  again  a  few  weeks  or  months  later. 

That’s  how  it  goes  when  you’re 
dealing  with  decentralized  groups 
with  plenty  of  loose  cannons  in  the 
membership. 

That’s  also  why  all  the  recent 
arrests— which  caused  some  of  us  to 
speculate  on  whether  we  were  witness¬ 
ing  a  death  blow  to  LulzSec  and  Anony¬ 
mous— are  not  the  end  of  the  story. 

—Bill  Brenner 


ICSOonline’s  new  Salted 
Hash  blog  and  newsletter 
covers  the  news  as  it 
happens:  blogs.csoonline 
.com/blog/cso 


12  www.csoonline.com  May  2012 


Photo  by  Wikimedia 


MALWARE 

U.S.  AND  CANADA  ARE 
MAJOR  SOURCES  OF 
MALWARE  ATTACKS 

In  its  annual  review  of  global  security  threats,  Websense  says  a  major  trend  it 
observed  last  year  is  that  more  malware  connections,  hosting  and  phishing 
appear  to  be  coming  from  the  United  States  and  Canada. 

“Fifty  percent  of  malware  connections  lead  to  the  U.S.,”  says  Charles  Renert, 
vice  president  at  Websense  Security  Labs.  According  to  “Websense  Threat  Report 
2012,”  Canada’s  malware  ranking  has  also  zoomed  upward  in  the  past  year,  so  the 
country  now  clocks  in  at  number  two,  with  13.2  percent  of  all  malware  connections. 
The  rest  of  the  top  five  are  Germany  at  5.4  percent,  the  Netherlands  at  4.9  percent, 
and  China  at  4.1  percent. 

China  and  Russia  used  to  be  much  higher  in  the  rankings,  according  to  Websense, 
but  since  organizations  have  been  blocking  IP  ranges  for  these  countries,  cybercrim¬ 
inals  have  turned  to  getting  malware  closer  to  their  victims  by  exploiting  trusted 
networks,  such  as  social  networking  sites. 

The  Websense  report  says  the  top  five  malware  host  countries  are  the  United 
States  at  36.3  percent,  Russia  at  14.7  percent,  France  at  13.2  percent,  Germany  at  7 
percent,  and  Singapore  at  3.4  percent.  The  top  five  countries  for  phishing  are  the 
United  States  at  59.9  percent,  followed  by  Canada  at  9.8  percent,  Egypt  at  6.8  per¬ 
cent,  Germany  at  2.3  percent,  and  the  United  Kingdom  at  1.8  percent. 

“It's  all  about  social  engineering  and  the  lures,”  Renert  says. 

Social  networks  such  as  Facebook,  Twitter  and  Google  have  become  prime 
vehicles  for  malware  attacks  of  all  kinds,  he  notes.  A  commonplace  example  is  a 
video  lure  that  leads  to  a  compromised  site,  an  increasingly  common  type  of  attack 
on  Facebook,  he  says. 

“Having  more  than  six  out  of  10  malicious  websites  on  compromised  hosts  is 
unacceptable  to  a  society  that  is  moving  to  the  cloud  as  a  backbone  for  commerce, 
communications  and  culture,”  the  report  says. 

While  the  threat  report  is  a  summary  of  trends  that  dominated  2011,  Websense  is 
also  venturing  some  predictions.  Perhaps  not  surprisingly,  one  of  them  is  that,  “Your 
social  media  identity  may  prove  more  valuable  to  cybercriminals  than  your  credit 
cards.  Bad  guys  will  actively  buy  and  sell  social  media  credentials  in  online  forums.” 

-Ellen  Messmer 


LagRhytzhm' 

The  Platform  for 
Cyber  Threat  Defense, 
Detection  &  Response. 

866-384-0713 

www.LogRhythm.com 


Illustration  by  Carl  Spackler 


May  2012  www.csoonline.com 


13 


SYSTEMS  HACKED. 


>>  BRIEFING 


Security 
Wisdom  Watch 


Thumbs  down:  Global  Payments. 
The  credit  card  processor  has  some 
explaining  to  do  after  someone 
gained  unauthorized  access  to  its 
processing  system  and  “exported,”  by 
the  company’s  estimate,  1.5  million  card 
numbers.  External  experts,  however, 
think  more  than  10  million  card  numbers 
could  be  compromised,  and  Visa  and 
MasterCard  are  alerting  banks  across 
the  country.  The  breach  could  have 
happened  despite  a  top-notch  security 
effort-only  time  will  tell.  For  now,  any 
breach  is  cause  for  a  thumbs  down. 

Thumbs  both  ways:  Qualified  secu¬ 
rity  assessors  (QSAs).  Whenever 
there’s  a  breach  like  the  one 
at  Global  Payments,  one  of 
the  first  questions  is  whether 
the  QSAs  who  performed  the 
compliance  audits  were  rigorous 
enough.  As  with  any  profession,  there 
are  no  doubt  good  and  not-quite-so- 
good  QSAs  out  there.  Ultimately,  though, 
responsibility  for  a  breach  rests  with  the 
company  that’s  hacked. 

Thumbs  down:  Girls  Around  Me 
app:  Privacy  advocates  are  raising 
a  red  flag  over  this  app,  which  col¬ 
lects  data  from  Foursquare  to  show 
local  bars  where  women  have  checked 
in  and  collects  information  from  the 
women’s  Facebook  profiles,  including 
photos  and  relationship  status.  They 
should  have  called  this  trashy  product 
the  Stalker  app. 

Thumbs  down:  Declaring  hacktiv- 
ism  dead:  The  security  community 
loves  declaring  technologies  dead: 
intrusion-detection  systms,  pen 
testing,  security  information  and  event 
management.  But  all  those  technologies 
are  still  with  us.  So  why  declare  hacktiv- 
ist  groups  like  LulzSec  dead  whenever 
they  leave  the  limelight?  Like  technology, 
they  never  really  go  away. 


—B.B. 


LAW  ENFORCEMENT 

Amazon  and  iTunes 
Scammers  Sentenced 

Gang  of  British  cybercriminals  made 
thousands  of  fraudulent  music  sales 

The  final  three  members  of  an  11-person  gang  that  scammed  iTunes  and  Amazon 
out  of  £500,000  ($793,000)  worth  of  royalty  payments  have  been  charged 
with  fraud  and  money  laundering  by  London’s  Southwark  Crown  Court. 

Craig  Anderson,  Arran  Jassi  and  Lamar  Johnson  all  pleaded  guilty  to 
conspiracy  to  commit  fraud  after  using  three  online  music  management  companies 
to  upload  UK-produced  urban  music  albums  and  tracks  for  sale  on  Apple  iTunes  and 
Amazon.com. 

The  principal  organiser,  Craig  Anderson,  then  reportedly  acquired  thousands 
of  compromised  credit  card  numbers  from  U.S.  and  UK  customers,  which  the  group 
then  used  to  make  over  500,000  online  purchases  of  the  music. 

Anderson  has  been  sentenced  to  4  years  and  8  months  in  prison.  Jassi  and  John¬ 
son  were  both  given  8  months,  but  Jassi’s  sentence  has  been  suspended. 

The  fraud,  which  was  first  identified  by  Apple  in  2009,  generated  sales  equiva¬ 
lent  to  that  of  a  major  recording  artist,  according  to  the  Police  Central  e-Crime  Unit 
(PCeU)  of  the  Metropolitan  Police,  whose  jurisdiction  is  the  area  immediately  sur¬ 
rounding  London.  The  estimated  loss  to  the  victims,  Apple  and  Amazon,  is  believed 
to  be  in  the  region  of  £1  million  ($1.59  million). 

The  investigation  was  first  launched  by  the  New  York  Police  Department,  but  was 
passed  to  the  PCeU  when  it  became  apparent  that  the  operation  was  based  in  the  UK. 
In  total,  11  people  have  been  convicted  and  sentenced  to  a  total  of  13  years  and  four 
months  of  imprisonment. 

“The  nature  of  online  commerce  presents  opportunities  for  sophisticated  and 
resourceful  cybercriminals,  operating  across  national  boundaries  and  jurisdictions,” 
say  Detective  Constable  Simon  Mills  of  the  PCeU. 

“We  hope  the  successful  outcome  of  this  and  other  PCeU  investigations  will 
serve  as  a  deterrent  to  those  contemplating  these  conspiracies,  will  put  fear  into 
the  minds  of  those  engaged  in  them,  and  will  serve  to  reduce  the  harm  caused  by 
cybercrime.” 

The  PCeU  is  a  national  unit  created  to  respond  to  the  most  serious  incidents  of 
cybercrime  in  the  UK,  and  forms  part  of  the  government’s  response  to  cyberthreats 
under  the  National  Cyber  Security  Programme.  In  March,  the  unit  arrested  14  people 
in  connection  with  a  phishing  attack  that  robbed  a  British  woman  of  her  £1  million 
($1.59  million)  life  savings.  -Sophie  Curtis 


14  www.csoonline.com  May  2012 


Illustration  by  Carl  Spackler 


MERGERS  AND  ACQUISITIONS 


Symantec  Snaps  Up 
Mobile  Application 
Management  Provider 


It’s  been  an  active  spring  for  mergers  and  acquisitions.  One  of  the  more  inter¬ 
esting  examples:  Symantec  announced  its  acquisition  of  Nukona,  a  privately 
held  provider  of  mobile  application  management  (MAM)  tools. 

Symantec  says  this  is  about  honing  its  mobile  security  strategy.  As  a  bonus, 
the  company  says,  Nukona’s  technology  chops  will  compliment  those  of  Syman¬ 
tec’s  other  recent  acquisition,  Odyssey  Software. 

“As  the  adoption  of  mobile  devices  and  apps  continues  to  grow  at  an  unprec¬ 
edented  rate,  one  of  the  biggest  challenges  for  customers  is  to  protect  and 
manage  the  native  apps,  data  and  environments  of  these  devices,”  says  CJ  Desai, 
senior  vice  president  of  the  endpoint  and  mobility  group  at  Symantec.  “The 
acquisition  of  Nukona  helps  us  further  address  the  consumerization  of  IT  and 

bring-your-own-device  [BYOD] 
trends  by  helping  organizations 
protect  and  isolate  corporate 
data  and  applications  across  both 
corporate-owned  and  personally 
owned  devices." 

Symantec’s  press  release 
continues: 

“With  Nukona’s  ability  to 
natively  protect  and  control  iOS, 
Android  and  HTML5  apps,  Syman¬ 
tec  will  address  the  core  problem 
of  corporate  and  personal  data 
separation  without  limiting  the 
end-user  experience  or  appli¬ 
cation  adoption.  By  securely 
distributing  and  managing 
mobile  applications  and  content, 
Symantec  customers  will  be  able 
to  address  corporate  data  security 
concerns  around  data  leakage, 
encryption  and  authentication 
on  a  per-application  basis,  for 
both  BYOD  and  corporate-owned 
devices. 

“Unlike  traditional  proprietary 
sandbox  solutions,  Symantec’s 
approach  will  extend  application 
protection  that  ‘wraps’  both  native  and  Web-based  apps  with  a  management 
layer  that  allows  IT  to  apply  security  policies  without  requiring  any  changes  to 
the  applications,  leaving  personal  apps  and  activities  untouched.  In  addition,  the 
flexibility  of  cloud-based  and  [on-premise]  enterprise  app  stores  helps  provide  a 
seamless  and  scalable  way  to  enable  mobile  application  deployments.  Nukona’s 
secure  content  library  also  allows  for  the  protection  and  synchronization  of  docu¬ 
ments  without  risk  of  data  loss.” 

The  cost  of  the  acquisition  has  not  yet  been  announced. 


-B.B. 


LagRhythm’ 

The  Platform  for 
Cyber  Threat  Defense, 
Detection  &  Response. 

866-384-0713 

www.LogRhythm.com 


Photo  by  Null  Session 


May  2012  www.csoonline.com 


15 


DATA  BREACHED. 


>>  BRIEFING 


VULNERABILITIES  AND  EXPLOITS 


Flashback  Malware  Spreads  Quickly  Among 
Macs  Thanks  to  Unpatched  Java  Vulnerability 


A  Java  vulnerability  that  was  patched  by 
Apple  late  last  month  was  exploited  by 
cybercriminals  to  infect  Mac  comput¬ 
ers  with  a  new  variant  of  the  Flashback 
malware,  according  to  security  researchers  at 
the  antivirus  firm  F-Secure. 

Oracle  released  a  fix  for  the  targeted 
vulnerability,  which  is  identified  as  CVE-2012- 
0507,  back  in  February,  and  it  was  included  in 
an  update  for  the  Windows  version  of  Java. 

Flowever,  since  Apple  distributes  a  self- 
compiled  version  of  Java  for  Macs,  it  ports  in 


Oracle’s  patches  on  its  own 
schedule,  which  can  be  months 
behind  the  one  for  Java  on 
Windows. 

Security  experts  have 
long  warned  that  this  delay  in 
delivering  Java  patches  on  Mac 
OS  could  be  used  by  malware 
writers  to  their  advantage,  and 
the  new  Flashback.K  malware 
confirms  that  they  were  right. 

Flashback  is  a  computer 
Trojan  horse  for  Mac  OS  that 
first  appeared  in  September 
2011.  The  first  variant  was  dis¬ 
tributed  as  a  fake  Flash  Player 
installer,  but  the  malware  has 
changed  significantly  since 
then,  both  functionality  and 
distribution  methods. 

Back  in  February,  several  antivirus  com¬ 
panies  reported  that  a  new  Flashback  version 
was  being  distributed  through  Java  exploits, 
which  meant  that  the  infection  process  no 
longer  required  user  interaction. 

The  Java  vulnerabilities  targeted  by  the 
February  exploits  dated  back  to  2009  and 
2011,  so  users  with  up-to-date  Java  installa¬ 
tions  were  protected. 

Flowever,  that’s  no  longer  the  case  with 
the  latest  variant  of  the  malware,  Flashback.K, 
which  was  distributed  by  exploiting  an 


unpatched  Java  vulnerability,  security 
researchers  from  F-Secure  said  in  a  blog  post 
last  month. 

After  being  dropped  and  executed  on  the 
system  via  the  CVE-2012-0507  exploit,  the 
new  Trojan  horse  prompts  a  dialog  window 
that  asks  the  user  for  their  administrative 
password. 

Regardless  of  whether  the  user  inputs 
the  password  or  not,  the  malware  still  infects 
the  system,  F-Secure  said  in  its  description  of 
the  malware.  The  Trojan’s  purpose  is  to  inject 
itself  into  the  Safari  process  and  modify  the 
contents  of  certain  Web  pages. 

There  are  rumors  that  a  new  exploit  for 
a  different  unpatched  Java  vulnerability  is 
currently  being  sold  on  the  underground 
market  and  could  be  used  to  target  Mac  users 
in  a  similar  way  in  the  future,  the  F-Secure 
researchers  said. 

“If  you  haven’t  already  disabled  your  Java 
client,  please  do  so  before  this  thing  really 
becomes  an  outbreak,”  researchers  said.  The 
antivirus  company  provides  instructions  on 
howto  do  this. 

Apple  stopped  including  Java  by  default 
in  Mac  OS  X  starting  with  version  10.7  (Lion). 
However,  if  Lion  users  encounter  a  Web 
page  that  requires  Java,  they  are  prompted 
to  download  and  install  the  runtime  and 
might  later  forget  that  they  have  it  on  their 
computers.  -Lucian  Constantin 


PRIVACY 

Wireless  Carrier  Hopes  to  Allay  Users’  Privacy  Concerns 


Carrier  IQ  executives  say  they  hope  that  customers  now  recognize 
the  value  of  the  data  that  the  company’s  software  collects 
after  some  operators  disabled  the  software  following  a  privacy 
uproar  late  last  year. 

The  company’s  software  sends  information  about  a  phone’s 
performance  to  network  operators,  which  use  the  data  to  learn  more 
about  performance  issues. 

“Some  of  our  customers  have  been  using  this  data  for  five  years. 
It’s  deeply  embedded  in  how  they  operate,”  says  Andrew  Coward, 
vice  president  of  marketing  and  product  management  at  Carrier  IQ. 


Coward  claimed  the  company  didn’t  lose  any  customers  after  last 
year’s  release  of  a  research  report  that  showed  that  its  software  was 
logging  keystrokes,  unbeknownst  to  end  users. 

He  maintains  that  Carrier  IQ’s  software  isn’t  to  blame.  Rather, 
some  implementations  of  the  software  “led  to  information  being 
written  into  these  files  that  never  should  have  been,”  he  says. 

Operators  have  been  pushing  out  firmware  updates  to  correct  any 
problems.  According  to  Coward,  Carrier  IQ  has  also  added  a  qualifica¬ 
tion  step  to  ensure  the  software  is  implemented  correctly  and  that  no 
private  data  is  left  on  devices.  -Nancy  Gohring 


16  www.csoonline.com  May  2012 


Photo  by  Reuters,  Mai  Langsdon 


A* 


PHYSICAL  DEFENSES 

How  to  Sneak  Into  a 
Security  Conference 


A  social  engineering  expert  details  how  he  managed 
to  go  anywhere  he  wanted  at  RSA  2012,  and  got  a  free 
conference  badge  under  a  pseudonym  to  boot 


'  hen  I  checked  in  at  the  RSA  2012  conference,  I  was  instructed  to  wear  my 
badge  at  all  times. 

“You  won’t  be  able  to  go  anywhere  without  it,”  a  registration  official 
informed  me. 

But  this  does  not  seem  to  be  an  obstacle  for  my  anonymous  source,  whom  I  met 
the  first  day  of  the  conference.  An  expert  in  event  security  and  in  risk  management 
and  physical  security,  he  is  in  the  business  of  “pen  testing  humans”  via  social  engi¬ 
neering,  he  said.  I  met  him  while  I  was  covering  the  event,  and  he  agreed  to  give  me 
details  of  how  he  snuck  into  RSA  in  a  matter  of  minutes  without  any  credentials-and 
then  went  back  and  got  credentials  under  a  fake  name  to  boot. 

My  source  was  in  the  area  attending  the  nearby  B-Sides  security  event,  and  he 
had  a  B-Sides  staff  badge  because  he  was  working  during  some  of  that  conference. 
Although  he  had  not  registered  for  RSA,  he  decided  to  wander  over  and  see  what 
was  going  on. 

“I  walked  in,  walked  around,  cased  the  place  for  a  few  minutes,"  he  explained  to 
me.  “I  saw  where  all  the  entry  points  were  located  and  where  the  security  guards 
where  standing.” 

He  stood  for  a  short  time  and  waited  for  a  group  of  people  to  walk  in  together. 
When  a  new  security  guard  came  in  to  relieve  another  one  near  an  entrance  point, 
my  source  saw  his  chance.  “I  started  walking  in  with  a  large  group  of  people.  I  held 
up  my  badge  and  covered  the  B-sides  logo  with  my  thumb.  I  flashed  it  and  said,  ‘I’m 
staff,’  and  kept  going  in,  never  missing  a  step.” 

At  that  point,  my  source  was  in-and  free  to  take  part  in  many  of  the  RSA  Confer¬ 
ence  activities.  He  said  he  walked  around  for  a  while  and  even  attended  two  of  the 
scheduled  presentations. 

After  a  short  time  on  the  expo  floor,  my  source  left  RSA  to  head  back  to  B-Sides. 
But  once  he  was  out  of  the  building,  he  used  Google  to  search  for  any  RSA  RSVP 
codes  that  companies  had  extended  to  clients  and  others  that  allow  people  to  reg¬ 
ister  for  the  conference  for  free.  Using  a  free  registration  code  he  found  online,  he 
registered  for  RSA  without  using  his  real  name.  He  then  went  in  to  the  venue  again 
to  get  an  RSA  badge  and  was  given  one  without  showing  any  form  of  identification. 

To  get  his  badge,  he  only  had  to  turn  on  his  smartphone  and  show  a  copy  of  the 
confirmation  email  (which  he  got  using  a  free  code). 

My  source  noted  that  as  someone  who  makes  a  living  by  sneaking  into  events  to 
check  security,  he  thinks  the  biggest  weakness  was  the  training  of  the  staff. 

“They  need  training  of  awareness  of  badges  and  an  understanding  what  is 
allowed  in  and  what  is  not,”  he  noted.  -Joan  Goodchild 


LagRhythm' 

The  Platform  for 
Cyber  Threat  Defense, 
Detection  &  Response. 

866-384-0713 

www.LogRhythm.com 


Photo  by  Null  Session 


May  2012  www.csoonline.com 


17 


SI  EM  2. 0 


TACTICS 


TOOLS,  TECHNOLOGIES  AND 

By  Robert  L.  Scheier 


Before  Moving  to  Cloud, 
Think  It  Through 

Management  tools  ease,  don’t  end,  cloud  security  jitters 


Many  enterprises  are 
reluctant  to  move  criti¬ 
cal  cloud  applications 
out  of  their  own  data 
centers  and  into  the  pub¬ 
lic  cloud  due  to  security  concerns.  Yet  the 
same  automated,  consistent  provisioning 
that  is  essential  to  managing  either  public 
or  private  clouds  (as  well  as  to  the  process 
of  thinking  through  a  cloud  deployment) 
can  also  offer  the  fringe  benefit  of  improv¬ 
ing  security. 

Of  course,  not  all  cloud  management 
tools  work  equally  well  with  all  cloud  pro¬ 
viders,  nor  do  they  all  allow  customers  to 
manage  their  internal  and  external  clouds 
as  a  single  unit.  Infrastructure-as-a-ser- 
vice  (IaaS)  providers  such  as  Amazon,  for 
example,  typically  don’t  allow  customers  to 
tweak  the  network  and  storage  infrastruc¬ 
ture  beneath  the  operating  system,  forcing 
customers  to  trust  that  level  of  security  to 
the  vendor. 

And  while  some  customers  will  trust 
outside  certifications,  such  as  Amazon 
Web  Services’  Level  l  compliance  with  PCI 
DSS,  others  will  choose  to  stick  with  a  pri¬ 
vate  cloud  within  their  own  firewalls,  or 
create  cloud  environments  at  an  external 
site  using  their  own  networks  and  keeping 
storage  under  their  control. 

Furthermore,  compared  to  internal  IT 
infrastructures,  the  public  cloud  requires 
more  attention  to  components  such  as 


network  firewalls,  load  balancers  and  net¬ 
work  address  translation  to  hide  the  public 
IP  addresses  most  cloud  providers  assign 
to  servers.  But  whatever  the  model,  the 
automated,  consistent  processes  required 
for  large-scale  cloud  deployments  not  only 
increase  the  efficiency,  reliability  and  per¬ 
formance  of  these  environments,  but  also 
improve  security. 


Benefits  of  Thinking  It  Through 

With  physical  servers,  staging  and  setup  is 
a  manual,  one-off  job;  however,  with  vir¬ 
tual  machines  (VMs),  creating  templates  or 
policies  for  various  types  of  servers  forces 
organizations  to  “think  about  it  more  and 
plan  for  it,”  says  Matt  Conway,  CTO  of 
online  backup  vendor  Backupify.  “If  you 
need  to  recreate  [a  type  of  server]  quickly, 


18  www.csoonline.com  May  2012 


Illustration  by  John  Weber 


you  must  script  it  and  automate  it.” 

And  while  conventional  servers  often 
run  multiple  types  of  software  to  provide 
different  services,  organizations  often  give 
VMs  in  cloud  environments  much  more 
specialized  personalities  to  perform  specific 
tasks,  says  Patrick  Kerpan,  president  and 
CTO  of  cloud  management  vendor  Cohe- 
siveFT.  Standardizing  these  templates,  he 
says,  “is  a  security  bonus  because,  to  the 
average  enterprise,  anything  that  causes  a 
change  control  ticket  is  a  security  risk.” 

Going  through  the  process  of  decid¬ 
ing  whether  to  host  a  particular  applica¬ 
tion  or  service  in  the  cloud  and,  if  so,  in 
what  type  of  cloud,  forces  organizations  to 
assess  the  value  of  an  application  or  service. 
The  resulting  deployment  decisions  can 
improve  those  systems’  reliability,  uptime 
and  efficiency,  as  well  as  their  security,  says 
Lilac  Schoenbeck,  a  senior  manager  in 
cloud  computing  marketing  at  management 
software  vendor  BMC. 

However,  “security  [staff1  are]  often  not 
invited  to  the  cloud  architecture  discussion 
soon  enough,”  she  says,  out  of  fear  that  their 
caution  will  block  cloud  adoption. 

Organizations  that  use  internal  service 
catalogs  or  identity-management  systems 
to  control  which  users  can  access  which 
applications  can  reuse  much  of  that  work 
to  secure  the  cloud,  says  Andi  Mann,  vice 
president  of  strategy  at  software  vendor 
CA.  Enabling  an  end  user  to  access  cloud 
services,  he  says,  requires  some  level  of 
understanding  of  who  they  are  and  what 
they  are  allowed  to  do.  Without  a  service 
catalog,  “you’re  doing  a  lot  of  manual  pro¬ 
cessing”  to  understand  which  cloud  appli¬ 
cations  employees  are  using. 

Automated  Provisioning 

Because  so  many  security  vulnerabilities 
are  caused  by  human  error,  automating 
proper  server  configuration  also  automati¬ 
cally  improves  security.  With  cloud  envi¬ 
ronments  containing  dozens,  hundreds  or 
even  thousands  of  VMs,  manual  configura¬ 
tion  would  be  outrageously  expensive  and 
time-consuming.  Automated  server  provi¬ 
sioning  tools  reduce  costs,  increase  busi¬ 
ness  agility,  and  help  prevent  variations 
that  could  create  vulnerabilities. 

While  not  all  automated  server  pro¬ 
visioning  tools  integrate  well  with  every 
cloud  provider,  such  tools  can  help  organi¬ 


zations  standardize  on  the  right  operating 
system,  the  right  patch  level,  and  the  right 
configuration  of  middleware,  databases, 
load  balancers  and  management  agents, 
says  Mann.  They  also  enable  administra¬ 
tors  to  easily  control  common  security- 
sensitive  settings,  such  as  which  ports  are 
open  and  which  services  are  running. 

HyTrust’s  virtual  management  appli¬ 
ance,  for  example,  provides  server  con¬ 
figuration  templates,  assesses  security 
configuration  of  VMware  vSphere  hosts 
against  industry  frameworks,  and  auto¬ 
matically  replicates  policies  and  templates 
across  multiple  appliances. 

Similarly,  CohesiveFT  sells  the  VPN- 
Cubed  virtual  firewall  and  router,  as  well 
as  management  tools  for  building  VM  tem¬ 
plates  and  for  automating  common  man¬ 
agement  tasks. 

The  particular  needs  of  the  cloud  have 
led  some  service  providers  to  develop  their 
own  tools.  Intemap,  an  IaaS  provider,  offers 
software  that  automates  and  audits  the  con¬ 
figuration  of  network  switches  in  its  cloud 
to  create  virtual  LANs.  This  allows  compa¬ 
nies  to  more  securely  fink  their  cloud-based 
virtual  servers  with  the  physical,  dedicated 
servers  within  Internap’s  cloud  that  run 
demanding  applications  such  as  databases, 
says  Paul  Carmody,  senior  vice  president 
of  product  management  and  business 
development. 

Security  administrators  must  also  pass 
increasingly  strict  audits  for  compliance 
with  either  internal  or  industrywide  secu¬ 
rity  standards.  Some  cloud  provisioning 
tools  automatically  produce  such  an  audit 
trail,  sometimes  as  a  byproduct  of  the  auto¬ 
mated,  policy-driven  creation  of  servers 
that  helps  customers  adapt  more  quickly  to 
business  needs  or  equipment  breakdowns. 
Many  automated  provisioning  tools  provide 
reports  on  which  users  or  administrators 
created  and  configured  which  servers. 

Embedded  Security 

The  very  structure  of  a  VM  can  also  help 
boost  security  because  its  disk  files  include 
not  only  the  required  operating  system, 
middleware  and  applications,  but  also  the 
configuration  settings  that  help  ensure  its 
security,  says  Michael  Crandell,  CEO  of 
cloud  management  vendor  RightScale. 

When  Jason  Axne,  systems  administra¬ 
tor  at  conveyer  belt  manufacturer  Wirebelt 


Company  of  America,  backs  up  VM  files, 
he  knows  that  “all  the  security  measures 
you  have  at  the  virtual  server  level  are  rep¬ 
licated,  because  it  is  a  copy  of  that  virtual 
server.” 

As  organizations  expand  their  use  of 
the  cloud,  they  often  develop  many  differ¬ 
ent  machine  images  for  different  workloads, 
says  Crandell.  If  the  images  are  managed 
properly,  this  encapsulated  security  infor¬ 
mation  can  help  ensure  that  proper  settings 
are  automatically  applied  as  new  VMs  are 
created.  Done  poorly,  it  can  create  a  cha¬ 
otic  sprawl  of  server  images,  especially  as 
new  images  with  new  names  are  created 
as  patches  and  updates  are  applied  to  the 
original  images,  he  says. 

RightScale  works  to  avoid  this  by  creat¬ 
ing  a  small  number  of  base  image  templates 
that  retain  the  same  file  name  over  time 
and  are  supplemented  with  the  definitions 
required  to  provide  specific  services. 

Another  source  of  embedded  configu¬ 
ration  and  security  information  that  can 
be  reused  in  the  cloud  is  Microsoft  Active 
Directory,  which  many  customers  already 
use  for  their  internal  repository  of  informa¬ 
tion  about  the  characteristics  of  users  and 
IT  components. 

Using  Active  Directory,  customers  can 
set  policies  to  automatically  configure 
servers  based  on  which  Active  Directory 
Organizational  Unit  (OU)  they  are  in,  says 
Shahin  Pirooz,  executive  vice  president, 
CSO  and  CTO  at  cloud  services  provider 
Centerbeam. 

With  Centerbeam,  he  says,  a  user  can 
drag  and  drop  a  VM  into  the  right  OU 
within  Centerbeam’s  cloud  to  ensure  it  is 
configured  correctly.  Other  cloud  provid¬ 
ers  allow  similar  capabilities  to  reuse  the 
Active  Directory’s  configuration  and  secu¬ 
rity  settings  by  using  APIs  to  set  up  feder¬ 
ated  access  control. 

Genomic  Health,  a  molecular  diagnos¬ 
tics  company,  had  to  try  several  access- 
management  vendors  before  finding  Okta’s 
identity-  and  access-management  ser¬ 
vice.  Okta’s  support  of  the  security  asser¬ 
tion  markup  language  standard  allowed 
Genomic  Health  to  use  its  internal  Active 
Directory  to  provide  single  sign-on  services 
for  more  than  20  software-as-a-service 
applications,  says  Ken  Stineman,  senior 
director  of  computing  and  IT. 

Egenera’s  PAN  Manager  uses  virtual- 


May  2012  www.csoonline.com  19 


>>  TOOLBOX 


ization  to  ease  administration  duties  and 
help  secure  multitenant  architectures, 
where  different  customers  share  the  same 
hardware.  PAN  Manager  virtualizes  the 
network  that  connects  VMs  in  the  cloud, 
storing  all  server- specific  and  application- 
specific  information  on  a  storage  area  net¬ 
work  rather  than  on  individual  servers. 
Because  no  application-specific  informa¬ 
tion  sits  on  the  server,  customers  can  share 
single  or  multiple  platforms  while  ensuring 
their  applications,  data  and  network  traffic 
never  touch  and  thus  don’t  pose  a  security 
risk,  says  Scott  Geng,  senior  vice  president 
of  engineering. 

Virtualization  also  makes  it  easier  to  set 
up  test  servers  before  deployment,  which 
in  turn  makes  it  easier  to  test  security  and 
performance  before  putting  servers  into 
production,  says  Conway  of  Backupify.  The 
tools  (often  open-source)  that  are  used  to 
monitor  loads  on  systems  can  also  uncover 
attacks,  he  adds. 

If,  for  example,  the  tool  detects  a  cluster¬ 
wide  resource  leak  caused  by  one  user,  that 
could  signal  a  distributed  denial-of-service 
attack  or  some  other  attempted  breach. 


The  cost  of  conventional  management 
tools  is  another  hurdle,  says  Nand  Mul- 
chandani,  co-founder  and  CEO  of  cloud 
management  vendor  ScaleXtreme.  While 
a  virtual  machine  might  cost  nine  cents  an 
hour,  for  instance,  a  system  to  manage  it— 
such  as  the  BMC  BladeLogic  management 
automation  suite— “costs  $1,500  per  server,” 
he  says.  Such  high  costs  force  organizations 
with  thousands  of  servers  to  go  without 
automated  patch  or  configuration  manage¬ 
ment  or  audit  compliance,  he  says,  relying 
instead  on  scripts  or  manual  processes. 
Schoenbeck  counters  that  BMC’s  tools 
“enable  you  to  gain  control  of  [cloud  serv¬ 
ers],  particularly  in  a  world  where  they’re 
so  easy  to  get”  to  ensure  they’re  being  used 
appropriately,  securely  and  cost-effectively. 

Even  the  provisioning  management 
tools  now  available  for  the  cloud  do  not 
support  every  cloud  provider,  says  Ken 
Owens,  vice  president  of  security  and  vir¬ 
tualization  technologies  at  IaaS  provider 
Savvis.  That  can  drive  up  cost  and  com¬ 
plexity  by  requiring  the  use  of  multiple 
systems  to  manage  servers  in  private  and 
public  clouds.  Owens  expects  integration 


The  more  that  an  organization  needs 
complete  and  fine-grained  security,  the  less 
it  can  piggyback  on  cloud  management  tools. 


Limitations 

There  is,  unfortunately,  no  magic  pill— no 
one  everyday  cloud  management  tech¬ 
nique  that  addresses  all  of  an  organiza¬ 
tion’s  security  needs.  For  one  thing,  the 
more  that  an  organization  needs  complete 
and  fine-grained  security,  the  less  it  can  pig¬ 
gyback  on  cloud  management  tools.  This  is 
because  determining  which  applications 
can  run  on  a  server,  or  even  which  users 
can  access  that  server,  does  not  control 
which  specific  actions  a  user  can  or  cannot 
take  on  that  server.  That  level  of  role-based 
control  is  often  required  to  ensure  security 
or  compliance  with  regulations  governing 
data  protection. 

Tools  such  as  Aveksa  can  control  such 
finer-grained  entitlements  based  on  infor¬ 
mation  from  identity  repositories  such  as 
Active  Directory,  says  Vick  Viren  Vaishnavi, 
president  and  CEO  of  Aveksa. 


will  become  easier  in  the  next  several  years 
as  standard  interfaces  evolve. 

Many  infrastructure  management  tools 
fall  down  in  the  way  they  segregate  cloud 
management,  or  even  just  virtualization 
management,  from  the  rest  of  IT  manage¬ 
ment,  says  Mann.  “A  good  infrastructure 
management  stack  will  manage  the  cloud 
through  the  same  processes  and  capabili¬ 
ties  as  it  manages  internal  IT.” 

Mulchandani  also  warns  that  some 
internal  server  management  products 
were  not  built  to  run  in  the  public  cloud. 
Most  patch  management  tools  designed  for 
internal  corporate  environments,  he  says, 
require  an  open  inbound  port  to  accept 
patch  updates,  something  “you’d  never  be 
crazy  enough”  to  allow  on  a  public  cloud 
server  with  a  public  IP  address.  ScaleX¬ 
treme  offers  a  patch  management  tool  that 
uses  a  one-way  outbound  HTTPS  port. 


Fringe  Benefits 

Good  cloud  management  practices  aimed  at 
reducing  spending  can  also  improve  secu¬ 
rity.  Take,  for  example,  asset  discovery  tools, 
which  uncover  how  many  applications  and 
other  systems  are  in  use  in  an  organization 
and  compare  those  findings  with  the  list  of 
applications  that  are  officially  on  the  books. 
These  practices— often  used  when  estimat¬ 
ing  how  much  capacity  an  organization  will 
need  in  the  cloud— allow  a  company  to  cut 
costs  by  eliminating  unneeded  or  dupli¬ 
cate  applications  and  bundling  what  had 
been  one-off  licenses  into  volume  purchase 
agreements.  These  same  tools  also  give 
security  administrators  a  more  complete 
list  of  the  cloud  applications  and  services 
they  must  secure. 

Sometimes,  the  side  benefits  flow  the 
other  way— from  security  tools  to  other 
business  processes.  While  the  main  ben¬ 
efit  of  single  sign-on  for  Genomic  Health, 
for  instance,  is  improved  security,  it  also 
makes  it  easier  to  track  which  employees 
have  taken  their  required  on-line  training, 
Stineman  says. 

The  real  upside,  he  hopes,  will  be  the 
ability  to  eventually  speed  the  process  of 
removing  users’  application  access  when 
they  leave  the  company,  eliminating  the 
three  to  four  hours  of  work  it  now  requires 
to  prove  employees  have  been  properly 
deprovisioned  from  all  of  the  company’s 
SaaS  systems. 

Learning  Curve 

As  more  organizations  move  more  applica¬ 
tions  to  the  cloud,  many  observers  predict 
vendors  will  provide  better  integration 
between  in-house  and  cloud  management 
tools,  and  with  premium  services  that  give 
customers  better  control  over  and  visibility 
into  their  cloud  environments. 

Using  management  tools  to  improve 
security  can  also  boost  the  career  of  an  IT 
manager,  says  Mann,  by  helping  him  or 
her  move  beyond  being  seen  as  an  internal 
supplier  of  services  to  being  treated  as  “a 
trusted  adviser  [with]  the  experience  to 
provide  these  cloud  services  to  the  busi¬ 
ness,”  bringing  IT’s  proven  expertise  with 
managing  secure  internal  environments  to 
the  cloud.  ■ 


Bob  Scbeier  is  a  freelance  writer.  Send feedback 
to  editor  Derek  Slater  at  dslater@cxo.com. 


20  www.csoonline.com  May  2012 


>>7*4 


Alta  Associates’ 

Executive 
Women’s  Forum 

Information  Security,  Risk  Management  £  Privacy 


October  2-4,  2012  Hyatt  Regency  at  Gainey  Ranch  Scottsdale,  AZ 


Managing  Current  &  Future  Risks  Globally 

Gain  a  Security,  Privacy,  Risk  &  Leadership  perspective 
on  latest  trends  in  social  media  and  game  changing  solutions 

for  an  increasingly  mobile  workforce. 


INVEST  IN 
YOURSELF! 


OC 


-  Earn  up  to  19  CPE  Credits 

-  Build  a  Network  of  the  Most  Dynamic  Women  in  Our  Industry 

-  Take  Home  Tools,  Best  Practices  &  Solutions  to  Achieve  Success 


Panels  Include: 

•  The  Impact  of  Social  Media...  Social  media  technologies  are  driving 

a  digital  revolution.  Learn  how  to  leverage  the  tools  themselves  and  explore  the  risks 
they  pose — identity  theft,  data  leakage,  privacy  considerations,  brand  management, 
appropriate  use.  Discuss  the  potential  controls,  boundaries  and  policies. 

•  Establishing  a  Healthy  Data  Relationship...  Big  Data,  the  ubiquity 
of  the  Cloud  and  mobile  devices,  combined  with  the  blurring  of  our  work  and  personal 
lives,  means  that  data  is  coming  together  in  a  myriad  of  ways.  Discuss  data  comingling, 
the  business  problems  and  risks  associated  with  it. 

•  Anatomy  of  an  Attack:  A  Survival  Workshop...  Be  a  part  of  the 
experience  as  we  walk  through  some  examples  in  recent  history  of  major  security 
and  privacy  compromises  from  the  technical  aspects  to  regulatory  elements  to  the 
PR  management  of  the  events. 

•  BYOD  -  Balancing  Access  with  Security...  Learn  how  companies 
are  safely  extending  corporate  access  and  data  through  mobile  devices.  Explore 

the  complexities  of  managing  and  mitigating  the  risks  of  smart  phones,  tablets  and 
other  devices. 


WOMEN  OF 
INFLUENCE  AWARDS 

Nominate  your  peers,  clients  and 

CUSTOMERS  FOR  THE  WOMEN  OF 

Influence  Awards.  Co-presented  by 
CSO  Magazine  and  Alta  Associates, 

THE  AWARDS  HONOR  FOUR  WOMEN 
FOR  THEIR  ACCOMPLISHMENTS  AND 
LEADERSHIP  ROLES  IN  THE  FIELDS  OF 
SECURITY,  RISK  MANAGEMENT  AND  PRIVACY. 

Winners  will  be  announced  at  a 
ceremony  during  the  EWF  event. 

FOR  NOMINATION  FORM  GO  TO: 
www.ewf-usa.com 

Nominations  Must  be 
submitted  by  August  31, 2012 


FORUM  HOST 
&  AWARDS 
CO-PRESENTER 


MEDIA  SPONSOR 
&  AWARDS 
CO-PRESENTER 


DIAMOND  SPONSORS 

•  • 


Information  Networking  Institute 

Carnegie  Mellon 


Microsoft 

Symantec 


For  more  information  on  the  EWF  or  to  register,  please  visit:  www.ewf-usa.com 


SPECIAL 

FOCUS 

B  C  /  D  R 


Starting  Up 

Without 
Startina  Over 


So  you’ve  been  asked  to  formalize 
a  business  continuity  program. 
Here  are  9  tips  from  the  experts. 

BY  LAUREN  GIBBONS  PAUL 


ometimes  you  pull  the 

short  straw.  That’s  how 
one  CSO  felt  when  his 
former  employer  asked 
him  to  create  a  formal 
business  continuity 
(BC)  program  for  a  few 
years  ago. 

“It’s  hard,  right?” 
says  the  CSO,  who  worked  for  a  technology 
company  at  the  time  and  asked  to  remain 
anonymous.  “Any  division  could  fall  down, 
plants  could  fall  down.  Some  divisions 
were  good  and  some  weren’t.  The  top  brass 
cared  about  the  20  percent  that  made  80 
percent  of  the  money  and  making  sure  that 
would  continue  if  something  happened.” 


One  division  in  particular  that  kept 
him  up  at  night  was  the  company’s 
10,000-employee  Philippine  operations. 
As  the  CSO  saw  it,  this  locale  was  highly 
vulnerable  to  at  least  four  different  kinds 
of  potential  disruptions:  volcanoes,  earth¬ 
quakes,  tsunamis  and  political  unrest. 
And  that’s  just  for  starters— it’s  ignoring 
the  frequent  outages  and  supply  interrup¬ 
tions  that  characterize  business  in  any  less- 
developed  country. 

This  CSO  quickly  realized  that  the  heart 
of  business  continuity  is  ensuring  that  the 
company  can  keep  making  money  after 
a  disaster.  So  he  identified  the  functions 
critical  to  that  ability  and  planned  out  how 
to  keep  them  going  after  a  spectrum  of  pos¬ 


sible  interruptions.  Then  he  did  something 
that  many  might  envy:  He  handed  off  the 
business  continuity  function  to  a  talented 
underling. 

If  you  can’t  do  what  he  did— offload  the 
task  entirely— you  can  at  least  benefit  from 
the  lessons  learned  by  those  who’ve  been 
in  the  BC  trenches.  Business  continuity 
is  a  broad  discipline,  encompassing  both 
disaster  recovery  for  data  and  the  activities 
that  ensure  business  will  carry  on  (or  be 
restored  quickly)  in  the  case  of  an  adverse 
or  catastrophic  event.  Therefore,  BC  cuts 
across  divisions  and  incorporates  people, 
processes  and  technology. 

Keep  in  mind  that  virtually  every  com¬ 
pany  approaches  business  continuity  dif- 


22  www.csoonline.com  May  2012 


ferently,  so  any  one  lesson  may  not  apply 
to  you.  Still,  it’s  worthwhile  to  examine  the 
common  mistakes,  erroneous  mind-sets 
and  instructive  anecdotes  of  those  who 
have  already  wrestled  with  formulating  a 
business  continuity  program. 

Here  are  the  top  nine  BC  lessons  from 
CSOs  and  experts: 

LESSON  #1 

Business  continuity  is  its  own 
discipline;  treat  it  that  way. 

Companies  commonly  view  business 
continuity  as  synonymous  with  another 
discipline,  which  is  one  reason  this  task 
not  infrequently  gets  dropped  on  security 
leaders.  But  this  is  a  mistake,  because  this 


kind  of  thinking  leads  to  inadequate  plan¬ 
ning,  according  to  Denis  Goulet,  a  certified 
BC  consultant  and  trainer  and  a  principal  at 
ContinuityLink.  “Business  continuity  is  not 
security,  it’s  not  emergency  management, 
it’s  not  risk  management,”  says  Goulet. 

In  fact,  business  continuity  profession¬ 
als  can  earn  a  growing  number  of  certifica¬ 
tions  from  several  organizations,  including 
DRI  International,  BCM  Institute,  Business 
Continuity  Institute,  Business  Resilience 
Certification  Consortium  International,  the 
Institute  for  Business  Continuity  Training 
and  the  National  Institute  for  Business 
Continuity  Management. 

To  distinguish  between  business  conti¬ 
nuity  and  risk  management,  think  of  risk 


management  as  identifying  the  probability 
or  cause  of  an  adverse  event  and  business 
continuity  as  considering  the  impact  of 
the  event,  Goulet  says.  “We’re  interested 
in  business  interruption— the  ability  to  do 
business  is  not  there  anymore— so  what 
will  it  take  to  get  back  up  and  running  so 
you  don’t  lose  your  reputation,  customers 
or  revenue?” 

Put  another  way,  business  continuity 
takes  over  where  risk  management  leaves 
off,  Goulet  says.  So,  let’s  say  you  assume 
under  risk  management  that  the  probabil¬ 
ity  of  an  earthquake  leveling  your  Manhat¬ 
tan  office  building  is  near  zero.  Under  risk 
management,  then,  you  decide  not  to  spend 
the  money  it  would  take  to  put  in  place 
another  office  location  as  backup.  Business 
continuity  says,  “The  worst  has  happened, 
despite  its  low  probability;  now  what  are 
we  doing  to  do  about  it?”  And  the  solution 
there  could  be  something  as  simple  as  hav¬ 
ing  employees  work  at  home. 

“There  is  always  residual  risk  left  over 
from  risk  management,”  says  Goulet.  BC 
steps  in  to  fill  that  gap. 

LESSON  #2 

The  process  is  collaborative, 
but  ultimately  the  CEO  owns  it. 

One  problematic  mind-set  is  that  many 
companies  cling  to  is  that  the  CSO  can  be 
the  owner  of  business  continuity  planning 
and  testing.  The  fact  is,  BC  is  by  its  nature  a 
collaborative  effort,  and  the  CEO  is  its  ulti¬ 
mate  owner. 

“As  a  practical  matter,  it’s  a  variety  of 
disciplines— IT,  security,  HR,  line  of  busi¬ 
ness— that  can  be  tasked  with  creating  a 
formal  BC  program,”  says  Edward  Brown, 
president  and  CEO  of  BC  consultancy 
KetchConsulting. 

The  CEO  heads  the  business,  therefore 
it  is  his  or  her  duty  to  ensure  it  will  continue, 
come  what  may.  Working  on  BC  planning 
with  senior  management  underlines  its 
importance  to  the  organization,  says  Goulet. 

“I’ve  trained  people  who  were  more 
technical,  less  technical,  more  senior, 
less  senior.  There  is  no  predefined  path. 
Business  continuity  has  grown  out  of  dif¬ 
ferent  places  in  the  company,  for  better  or 
worse,”  he  says. 

The  key  things  to  remember:  Get  iron¬ 
clad  executive  support  and  collaborate  with 
other  departments. 


Illustration  by  Brian  Stauffer 


May  2012  www.csoonline.com  23 


BUSINESS  CONTINUITY 


LESSON  #3 

Be  thorough  in  your 
business  impact  analysis. 

Veterans  of  business  continuity  planning 
have  learned  the  hard  way  that  the  corner¬ 
stone  of  BC  planning  (and  therefore  one  of 
the  first  things  that  needs  to  be  done  when 
formalizing  a  BC  program)  is  a  business 
impact  analysis  (BIA). 

In  this  exercise,  you  sit  down  with  a 
cross-disciplinary  team,  examine  every¬ 
thing  your  company  does,  and  identify 
your  critical  business  activities.  The  essen¬ 
tial  question  is:  How  much  time  could  this 
function  be  suspended  for  before  we  would 
go  out  of  business? 

“Some  functions  can  stop  for  one  week, 
some  for  one  hour,  some  for  one  month,” 
says  Goulet.  From  there,  you  will  define  a 
solution  (which  may  be  both  technical  and 
non-technical)  that  will  restart  the  function 
within  the  period  you’ve  decided  on.  That  is 

“ROI  is  a 

TRAP.’’ 

-DENIS  GOULET, 
CONSULTANT,  CONTINUITYLINK 

called  your  recovery-time  objective,  or  RTO. 
A  business  impact  analysis  will  identify  the 
RTO  for  each  business  function  in  your 
organization. 

Sometimes  the  results  of  the  BIA  can  be 
surprising.  For  example,  a  whiskey  maker’s 
most  critical  function  might  turn  out  to  be 
distribution,  ensuring  the  product  gets 
onto  store  shelves,  as  opposed  to  produc¬ 
tion,  which  could  cease  for  quite  a  long  time 
before  the  customers  or  marketplace  would 
know  anything  was  wrong. 

The  key  lesson  here  is  not  to  try  to  take 
a  shortcut  through  the  process.  Many 
executives  think  they  have  a  gut  feeling  for 
what  is  most  important  without  examining 
everything.  That’s  not  right,  says  Goulet. 
“You  don’t  start  by  identifying  the  top  three 
activities  with  senior  management.  You 
might  leave  out  essential  parts  of  the  busi¬ 
ness  that  are  not  easily  visible  from  the  top.” 

For  example,  you  might  think  that  sales 
would  be  one  of  the  most  critical  functions 


at  any  company,  since  no  one  can  survive 
without  selling  things.  But  it  turns  out 
that’s  probably  not  the  case,  at  least  from  a 
business  continuity  standpoint.  “The  sales 
force  gets  the  money  in.  They  create  growth 
by  selling  to  new  customers.  One  thing  you 
don’t  want  to  deal  with  after  a  disaster  is 
a  new  customer.  For  a  while,  you  want  to 
focus  on  keeping  the  existing  customers 
instead,”  says  Goulet. 

LESSON  #4 

Focus  on  business  value, 
not  assets  or  functions. 

Karen  Avery’s  perspective  on  business 
continuity  has  changed  quite  a  bit  since  her 
time  as  CISO  for  GE  Capital.  At  the  time,  she 
made  decisions  based  on  what  it  would  take 
to  keep  a  particular  asset  (like  a  building)  or 
function  (like  accounting)  up  and  running. 
Now,  as  managing  director  at  consultancy 
Marsh  Business  Resiliency  Solutions,  she 
takes  a  value-based  approach  to  determin¬ 
ing  BC  priorities.  With  the  old  approach, 
she  would  start  her  planning  by  looking  at 
a  building  or  technology  asset  or  a  function 
in,  for  example,  marketing  or  finance.  But 
it’s  much  more  effective,  she  says,  to  start 
with  how  the  organization  creates  value  in 
the  marketplace. 

“Go  from  a  revenue  perspective,  and 
then  look  at  the  value  chains  that  support 
that  revenue.  The  functions  will  align  to  it, 
helping  you  quickly  identify  vulnerability 
throughout  the  value  chain,”  Avery  says. 

LESSON  #5 

Don’t  go  it  alone. 

Dennis  Dayman  can  sum  up  the  best  lesson 
he  has  learned  about  business  continuity  in 
one  sentence:  Self-assessments  are  worth¬ 
less.  As  part  of  his  company’s  annual  review 
of  its  BC  plans,  he  often  had  the  uncomfort¬ 
able  feeling  that  the  company  was  missing 
something.  “No  one  wants  to  talk  about 
their  own  faults  and  vulnerabilities,”  says 
Dayman,  CSO  of  Eloqua,  a  software-as-a- 
serviee  vendor.  “Now  we  have  a  third  party, 
TRUSTe,  come  in  and  say  what  we  missed.” 
As  a  volunteer  firefighter  who  responds  to 
dozens  of  emergency  calls  in  his  town  every 
year,  Dayman  knows  all  too  well  that  disas¬ 
ters  happen  and  can  ruin  companies— not 
to  mention  lives.  As  he  learned,  the  best  way 
to  avoid  myopia  in  your  BC  planning  is  to 
get  third  parties  involved. 


LESSON  #6 

Beware  the  ROI  trap. 

Another  commonly  held  misconception  is 
that  business  continuity  is  an  investment 
like  any  other  and  can  be  cost-justified 
just  like  all  other  investments.  But  Goulet 
argues  that  enterprises  need  to  let  go  of  this 
damaging  idea.  BC  should  be  viewed  as  an 
expense  and  a  cost  of  doing  business.  In  his 
view,  that  is  one  glaring  distinction  between 
BC  and  its  sister  discipline,  risk  manage¬ 
ment,  which  mitigates  risk  based  on  the 
cost  of  the  solution  in  light  of  the  probable 
damage.  Risk  management  weighs  those 
choices,  while  business  continuity  says, 
“We  know  it’s  remote,  but  we  need  to  plan 
for  the  worst-case  scenario.” 

“ROI  is  a  trap,”  says  Goulet.  “Everyone 
struggles  to  find  something  to  say  to  the 
finance  people,  but  that’s  a  trap.  Business 
continuity  is  part  of  the  cost  of  doing  busi¬ 
ness.  We  won’t  throw  millions  at  this  if  we 
don’t  have  to,  but  if  we  have  to,  we  will.” 

But  BC  is  not  about  unlimited  spending 
on  an  unlikely  outcome.  It  is  about  spend¬ 
ing  whatever  is  necessary—  and  only  what  is 
necessary— to  allow  the  company  to  survive 
after  an  adverse  event.  “If  you  want  a  cheap 
solution,  don’t  do  anything,”  Goulet  says. 

Ignoring  ROI  can  be  a  hard  pill  to  swal¬ 
low  for  management,  especially  if  they’re 
rooted  in  the  risk  management  world, 
where  everything  is  probability-  and 
return-based.  If  you  are  stuck  with  this 
mind- set,  Avery  advises  that  you  use  mod¬ 
eling  to  quantify  the  value  of  the  function. 

“Companies  get  stuck  because  they  go 
through  a  process,  and  they  have  all  these 
solutions  at  all  these  price  points  and  they 
can’t  justify  the  investment,”  she  says. 

“If  you  take  the  value-based  approach 
and  embed  some  analytics,  you  can  model 
the  exposure  versus  the  return  on  risk 
investment.  Then  you  can  justify  the 
expense  to  your  CEO.”  First,  though,  do 
your  best  to  convince  management  that  BC 
is  a  cost  of  doing  business. 

LESSON  #7 

Build  in  some  flexibility. 

While  it  makes  sense  to  standardize  BC 
plans  as  much  as  possible,  it’s  just  as  impor¬ 
tant  to  allow  for  some  flexibility  for  local 
distinctions,  according  to  John  South,  CSO 
for  Heartland  Payment  Systems. 

“We  look  at  business  continuity  as 


24  www.csoonline.com  May  2012 


a  distributed  function,  with  responsibili¬ 
ties  shared  by  regional  operations  manag¬ 
ers,”  he  says. 

Heartland  issues  a  standard  format 
for  business  continuity  that  it  expects 
all  its  assorted  business  units  to  adopt 
when  developing  their  business  continu¬ 
ity  plans,  but  it  knows  that  those  units  also 
need  the  flexibility  to  define  their  plans 
within  the  parameters  of  their  local  opera¬ 
tion,  South  explains. 

To  give  one  example,  when  a  local  oper¬ 
ation  owns  its  own  facilities,  it  might  be 
facing  a  different  set  of  BC  concerns  than 
a  unit  that  leases  its  building,  even  though 
they’re  part  of  the  same  company. 

LESSON  #8 

Show  clients  your  plans. 

CSOs  must  realize  that  business  continuity 
is  expanding  beyond  the  four  walls  of  the 
enterprise.  Increasingly,  clients  and  supply 
chain  partners  want  to  know  about  your 
business  continuity  plans. 


This  makes  sense,  as  a  company  is  only 
as  strong  as  the  weakest  link  in  its  supply 
chain.  Exchanging  BC  plans  is  becoming 
part  of  doing  business  and  can  make  a  com¬ 
petitive  difference. 

Becker  and  Poliakoff,  a  law  firm,  has 
over  a  dozen  offices  in  Florida  and  several 
more  in  other  states,  plus  one  in  Europe.  Ari 
Solomon,  director  of  IT,  finds  that  clients  can 
help  with  BC  planning  by  delineating  their 
priorities.  “They  want  to  know  how  they 
will  get  in  touch  with  the  attorneys  if  there  is 
an  outage,”  he  says.  In  a  disaster,  “they  really 
don’t  care  so  much  about  getting  documents 
out,  as  long  as  they  can  communicate  with 
their  attorney.” 

And  given  that  the  firm’s  main  office  is 
located  in  southern  Florida,  outages  are 
not  uncommon.  “What  other  people  call  a 
disaster  event,  I  call  a  weekday,”  Solomon 
says.  “Hurricanes  always  come  here;  it’s 
like  we’re  just  sitting  here  waiting  for  them 
to  happen.  I  don’t  plan  for  disaster,  I  plan 
for  the  normal  reality  of  life.” 


LESSON  #9 

Make  sure  everyone 
knows  what  to  do. 

A  quick,  no-cost  way  of  determining 
whether  your  business  continuity  discus¬ 
sions  are  gaining  traction  is  to  have  some¬ 
one  ask  your  CEO  where  employees  would 
go  if  their  office  were  reduced  to  rubble. 

“If  they  say,  ‘I  would  probably  work 
from  home,’  that’s  a  bad  sign,”  says  Brown. 
“You  need  to  say,  According  to  my  plan, 
everyone  would  work  from  home.’  If  they 
say  ‘probably’  or  ‘maybe,’  it  isn’t  written 
down,  and  it  doesn’t  exist.” 

Maybe  you  have  not  yet  been  asked  to 
head  up  business  continuity  planning,  but 
once  you’ve  gotten  the  call,  it’s  imperative 
to  have  a  foundation  in  place  to  do  a  credit¬ 
able  job.  Your  company’s  future  may  be  at 
stake.  ■ 


Freelance  writer  Lauren  Gibbons  Paul  is  a  fre¬ 
quent  contributor  to  CSO.  Send feedback  to  edi¬ 
tor  Derek  Slater  at  dslater@cxo.com. 


Whenever  Wherever 


With  Box,  I  run  the  entire  company  off  my  iPad. 

~  Lance  lecher,  Founder,  Clear  Channcl-TTN 


82%  of  Fortune  500s  Manage  Content 
Simply  and  Securely  With  Box 


Get  the  FREE  CSO  TOOLKIT:  www.box.com/cso 


for  no  other  reason  than  that  it’s  helping  to 
reduce  the  number  of  IT  assets,  says  George 
Muller,  vice  president  of  sales  planning,  sup¬ 
ply  chain  and  IT  at  Imperial  Sugar,  which  is 
one  of  the  nation’s  largest  processors  and 
marketers  of  refined  sugar. 

“For  those  of  us  who  have  been  in  the  IT 
world  for  a  few  years,  we’ve  seen  the  transi¬ 
tion  from  the  old  large  mainframes  to  client/ 
server  to  Web-based  applications  to  cloud- 
based  computing,”  Muller  says.  “During 
that  time,  the  proliferation  of  PCs  and  serv¬ 
ers  has  been  wild.” 

With  so  many  devices  for  IT  to  maintain 
and  keep  running— especially  physical  serv¬ 
ers  in  the  data  center— ensuring  systems’ 
uptime  became  a  huge  challenge,  Muller 
says.  “With  virtualization,  we’ve  now  been 
able  to  reduce  that  footprint  [of  servers], 
which  means  when  we  are  planning  for 
business  continuity  now  we’ve  got  fewer 
devices  to  worry  about.” 

Server  virtualization  has  allowed  com¬ 
munications  and  compliance  technology 
services  provider  Walz  Group  to  greatly 
reduce  its  planned  outages  and  largely  elim¬ 
inate  unplanned  downtime,  says  CISO  Bart 
Falzarano. 


In  IT,  failure  is  not  an  option.  Not  sur¬ 
prisingly,  organizations  have  made  it 
a  high  priority  to  develop  and  imple¬ 
ment  reliable  business  continuity 
plans  to  ensure  that  IT  services  are 
always  available  to  internal  users  and  out¬ 
side  customers. 

But  recent  technology  developments  and 
trends— most  notably  server  and  desktop 
virtualization,  cloud  computing,  the  emer¬ 
gence  of  mobile  devices  in  the  workforce, 
and  social  networks— are  having  an  impact 
on  how  enterprises  handle  IT  business 
continuity  planning  and  testing.  Much  of 
this  change  is  for  the  better,  experts  say,  but 
these  trends  can  also  create  new  challenges 
for  IT,  information  security  and  risk-man¬ 
agement  executives. 

Here’s  a  look  at  how  these  tech  mega¬ 
trends  are  affecting  IT  business  continuity 
specifically. 


VIRTUALIZATION 


BUSINESS  CONTINUITY  PLANNING 
is  getting  easier  for  IT  executives  and  their 
organizations  thanks  to  virtualization,  if 


trends 

IN  BUSINESS 
CONTINUITY 

How  BC/DR  is  helped 
(and  hindered)  by  social, 
mobile,  virtualization  and 

cloud  BY  BOB  VI0LIN0 


Photo  by  Shawn  Henry 


May  2012  www.csoonline.com  27 


BUSINESS  CONTINUITY 


Using  server  virtualization,  the  company  can  manage,  support 
and  secure  its  applications  more  effectively,  Falzarano  says.  Walz 
has  been  able  to  achieve  higher  virtualization  efficiencies  (a  higher 
number  of  virtual  machines  per  hypervisor  host)  using  newer 
infrastructure  technology. 

The  company  is  then  able  to  leverage  workload  mobility  capa¬ 
bilities  locally,  allowing  it  to  quickly  move  virtual  machines  and 
applications  between  different  physical  resource  pools  of  comput¬ 
ing  power,  memory  and  storage. 

“For  maintenance,  upgrades,  firmware  updates,  critical 
patches,  etc.,  Walz  simply  moves  the  applications  away  from  the 
area  being  impacted  by  the  maintenance  activity,”  Falzarano  says. 
‘Once  the  maintenance  activity,  testing  and  quality  control  checks 
are  complete,  [we]  may  move  the  application  back  to  that  region 
or  area.” 

Virtualization  has  actually  had  a  bigger  effect  on  disaster  recov¬ 
ery  than  on  business  continuity,  says  John  Morency,  research  vice 
president  at  research  firm  Gartner.  However,  one  area  of  continu¬ 
ity  that’s  been  affected  is  maintaining  backup  locations,  a  strategy 
called  work  area  recovery. 

Many  companies  planning  for  business  continuity  have  relied 
on  providers  of  work  area  recovery  sites,  which  can  cost  from  $15 
to  $25  per  seat,  Morency  says. 

“But  what  more  organizations  are  doing  now  is  having  people 
work  at  home  or  at  Starbucks  or  the  library  or  wherever,”  he 
says.  “The  use  of  Citrix,  DVI  and  other  desktop  virtualization 
technologies,  in  conjunction  with  secure  tunneling,  is  enabling 
organizations  to  implement  broader  and  more  distributed  work 
area  recovery.” 

Some  businesses  and  functions,  such  as 
branch  banks  and  customer  service  call  cen¬ 
ters,  continue  to  use  work  area  recovery  ser¬ 
vices,  Morency  says.  But  a  growing  number 
of  Gartner  clients  are  instead  using  virtu¬ 
alization  to  enable  people  to  work  offsite 
when  needed. 

Rachel  Dines,  senior  analyst  of  infra¬ 
structure  and  operations  at  Forrester 
Research,  says  desktop,  or  client,  virtualiza¬ 
tion  is  having  a  bigger  impact  on  business  con¬ 
tinuity  than  server  virtualization. 

“Client  virtualization  is  making  workforce  recovery 
[possible]  for  many  companies  that  cannot  rely  on  employees 
working  from  home  with  laptops,”  Dines  says. 

For  example,  at  companies  that  deal  with  highly  sensitive 
information— such  as  financial  services  or  insurance  firms,  or 
government  agencies— employees  are  often  not  issued  laptops  in 
order  to  prevent  data  leaks.  In  those  cases,  client  virtualization 
enables  the  rapid  deployment  of  client  images  to  disparate  hard¬ 
ware  at  workforce  recovery  sites,  Dines  says. 

In  addition,  organizations  can  deploy  client  virtual  machines 
over  the  Internet  and  allow  employees  to  access  them  via  personal 
computers  at  home. 

“Either  way,  users  are  able  to  use  the  same  environment  that 
they  are  accustomed  to  on  a  daily  basis,  which  means  they  will  be 
more  productive  during  the  outage,”  Dines  says. 


CLOUD  COMPUTING 


MORE  AND  MORE  of  Gartner’s  clients  are  using  software  as  a 
service  (SaaS)  to  support  business  processes,  Morency  says. 

“With  the  use  of  SaaS  for  client-facing  applications  and  even 
internal  customer  support  applications,  there’s  a  much-improved 
means  of  continued  availability,  even  in  the  presence  of  minor  or 
major  disruptions,”  Morency  says.  “You  have  a  set  of  applications 
delivered  from  the  cloud.” 

But  this  also  imposes  additional  responsibilities  on  IT,  which 
has  to  broker  those  services  and  provide  additional  problem-man¬ 
agement  triage  when  necessary,  Morency  says. 

Walz  Group  operates  a  private  cloud  and  uses  cloud-manage¬ 
ment  tools  that  Falzarano  says  are  a  key  to  the  company’s  busi¬ 
ness  continuity  initiatives.  One  product  the  company  is  using  is 
FlexPod,  a  data  center  management  platform  from  Cisco  Systems 
and  NetApp  that  provides  a  design  architecture  with  combined 
networking,  computing  and  storage  infrastructure. 

Every  Walz  application  that’s  running  on  FlexPod  has  a 
template  associated  with  it,  Falzarano  says.  These  templates  are 
checked  into  an  environments  catalog,  and  are  centrally  managed 
by  cloud  management  software.  This  setup  allows  the  IT  team  at 
Walz  to  maintain  business  continuity  effectively,  he  says. 

A  dashboard,  along  with  alerts  and  metrics  reports,  allows 
staff  to  monitor  how  much  resources— such  as  CPU,  memory, 
storage  and  bandwidth— the  environments  are  consuming.  At 
preset  intervals  ranging  from  daily  to  quarterly,  the  company  runs 
detailed  trend  reports  that  help  with  planning,  deter¬ 
mining  and  provisioning  the  capacity  needed  for 
business  continuity  and  disaster  recovery 
purposes. 

Using  the  cloud  management  tool, 
Walz  can  set  up  defined  policies  for 
scaling  out  additional  applications, 
and  this  allows  it  to  maintain  business 
continuity  with  more  automated,  on- 
demand  provisioning,  Falzarano  says. 
The  software  also  allows  Walz  to 
provision  to  a  private  cloud,  either  its 
own  or  a  service  provider’s.  For  example, 
if  Walz  is  using  80  percent  of  its  internal  pri¬ 
vate  cloud  and  suddenly  sees  a  demand  for  a  new 
application  and  wants  to  rapidly  spin  up  development 
systems,  it  might  choose  to  run  those  systems  in  a  service  provid¬ 
er’s  private  cloud  instead  of  in  the  remaining  20  percent  on  its  own 
cloud,  so  it  can  reserve  some  room  for  growth.  The  same  model 
can  also  be  used  for  business  continuity,  Falzarano  says. 

Imperial  Sugar  operates  a  hybrid  cloud  environment,  with 
about  95  percent  of  its  applications  running  on  a  private  cloud 
in  its  data  center  and  the  remainder  accessed  via  SaaS.  The  pri¬ 
vate  cloud  is  provided  by  a  network  service  provider,  and  the 
SaaS  software  is  delivered  by  software  vendors  on  a  hosted  basis, 
Muller  says. 

Because  the  cloud  environment  is  maintained  by  service  pro¬ 
viders  and  software  vendors,  the  onus  falls  on  them  to  ensure 
continuity,  and  that  can  be  both  a  benefit  and  a  risk,  Muller  says. 


“What  more 
organizations  are 
doing  now  is  having 
people  work  at  home  or 

at  Starbucks  or  the 
library  or  wherever.” 

-JOHN  MORENCY, 

VP,  GARTNER 


28  www.csoonline.com  May  2012 


“When  I  have  a  third  party  hosting  the  environment  for  me,  I 
look  to  them,  as  part  of  the  service-level  agreement,  to  have  the 
resources— the  people  and  hardware  and  infrastructure— in  place 
so  that  they  can  guarantee  me  if  the  hardware  has  a  problem  at  one 
location  they’ve  got  another  location  that  will  bring  up  my  apps 
in  a  manner  that  is  seamless  to  our  internal  users,”  Muller  says. 
“That’s  sort  of  their  problem,  as  long  as  I’ve  got  a  strong  service- 
level  agreement  in  place  with  them.” 

On  the  other  hand,  even  with  a  service-level  agreement  hold¬ 
ing  the  service  provider  responsible,  there  are  no  guarantees  that 
service  will  not  at  some  point  be  interrupted,  Muller  says. 

Not  everyone  sees  cloud  computing  as  influencing  business 
continuity.  “As  of  today,  I  don’t  see  a  huge  impact,”  says  Dines, 
the  Forrester  analyst.  “However,  I  do  expect  this  to  become  a  sig¬ 
nificant  complicating  factor  in  the  future.  As  more  organizations 
outsource  more  services  to  the.  cloud,  it  will  become  the  job  of  the 
business  continuity  manager  to  audit  the  recovery  plans  of  many 
different  suppliers.” 

In  addition,  Dines  says,  during  a  failure  or  system  test,  recov¬ 
ery  will  need  to  be  coordinated  across  many  sites  run  by  different 
vendors.  “Longer  term,  cloud  will  make  business  continuity  much 
more  complicated,”  she  says. 


MOBILE  DEVICES 


THE  PROLIFERATION  OF  mobile  devices  in  the  workforce  is 
a  benefit  for  business  continuity  strategies  because  it  gives  more 
flexibility  for  workforce  recovery  options,  Dines  says. 

“As  compared  to  the  days  when  employees  only  had  desktops 
and  laptops,  the  ability  to  remain  productive  without  access  to  a 
computer,  via  tablets  and  smartphones,  is  a  significant  advantage,” 
she  says.  “Additionally,  it  means  that  employees  should  be  easier 
to  communicate  with  during  a  disaster.” 

Business  continuity  planning  software  vendors  are  putting 
more  emphasis  on  ensuring  that  the  software  and  informa¬ 
tion  needed  for  business  continuity  can  be  accessible  via  mobile 
devices,  Morency  says.  This  includes  information  such  as  the  cur¬ 
rent  status  of  recovery,  the  locations  to  which  employees  should  be 
going,  what  applications  and  services  they  can  access  and  where 
they  connect  to  get  the  latest  emergency  updates. 

“This  is  not  only  for  telecommuters  but  for  the  workforce  in 
general,  and  for  the  mobile  sales  folks  who  need  ways  to  access  the 
information  that  is  most  relevant  to  them  and  to  be  able  to  access  it 
through  the  device  of  their  choice,”  Morency  says. 

Enterprises  “cannot  depend  on  corporate  headquarters  or  the 
data  center  always  being  available  following  a  disruptive  event,” 
Morency  says.  “They  have  to  ensure  that  critical-plan  content  is 
always  available  [including  to  mobile  users]  regardless  of  what 
happened.” 

Many  Imperial  Sugar  employees  use  smartphones,  tab¬ 
lets  and  other  devices  for  work,  Muller  says,  and  these  devices 
would  likely  prove  useful  from  a  business  continuity  perspective 
because  workers  could  use  them  to  conduct  business  transactions 
and  communicate  with  coworkers  and  customers  from  multiple 
remote  locations. 


The  key  issue  is  ensuring  that  these  devices  continue  to  have 
access  to  the  software  and  services  that  allow  them  to  function 
optimally  for  applications  such  as  messaging  and  collaboration. 
“If  I’ve  got  a  BlackBerry  Enterprise  Server,  I  just  need  to  make  sure 
that  it’s  something  I  can  bring  up  at  a  remote  business  continuity 
or  disaster  recovery  site”  if  needed,  Muller  says. 

The  proliferation  of  mobile  devices  makes  it  easier  for  people 
to  stay  connected,  “and  certainly  makes  it  easier  to  connect  in  a 
business  recovery  situation,”  Muller  says.  “A  wireless  PC  can  do 
the  same  thing,  but  a  mobile  device  is  smaller  and  easier  to  carry 
around  and  it  costs  less.  You  can  do  just  about  anything  on  a 
mobile  device  that  you  can  do  on  a  PC.” 


SOCIAL  NETWORKS 


A  FORRESTER  REPORT  published  in  July  2011,  titled  “It’s  Time  to 
Include  Social  Technology  in  Your  Crisis  Communication  Strategy,” 
notes  that  while  many  risk  professionals  subscribe  to  automated 
communication  services  for  reliable  mass  notification,  “the  wide¬ 
spread  adoption  of  mobile  devices  and  easy  Internet  access  support 
the  case  for  using  social  technologies  like  Twitter,  Facebook,  and 
Skype  as  critical  components  of  your  response  plan.” 

As  companies  look  for  fast,  effective  ways  to  communicate  with 
key  stakeholders  in  a  crisis,  they  should  strongly  consider  social 
technologies,  the  report  says. 

Another  report,  “The  Do’s  and  Don’ts  of  Using  Social  Media 
in  Business  Continuity  Management,”  released  by  Gartner  this 
January,  notes  that  social  media  “holds  the  promise  of  transform¬ 
ing  enterprise  business  continuity  management,  especially  crisis/ 
incident  management  and  communications  practices.” 

Social  media  is  used  by  more  than  80  percent  of  the  world’s 
population,  Gartner  says,  and  enterprises  can’t  afford  to  ignore  it 
as  a  crisis  communications  tool.  But  effective  use  of  a  new  commu¬ 
nications  channel  requires  planning  and  practice,  and  attempting 
to  leverage  social  media  for  the  first  time  during  a  crisis  can  do 
more  harm  than  good,  the  firm  says. 

The  Gartner  report  goes  on  to  make  several  recommenda¬ 
tions  for  using  social  media  as  a  disaster  recovery  tool,  including 
determining  which  social  platforms  are  already  used  by  employ¬ 
ees,  customers  and  other  stakeholders  and  incorporating  those 
platforms  in  crisis-  and  incident-management  efforts;  and  using 
social  media  not  only  to  communicate  during  a  disaster,  but  also 
to  gather  information  and  gain  the  support  of  outside  resources 
that  can  help  ensure  ongoing  resilience.  Business  continuity  man¬ 
agement  professionals  should  immediately  begin  assessing  social 
media’s  opportunities— and  its  risks. 

“Social  networks  are  both  a  blessing  and  a  curse”  for  business 
continuity,  Dines  says.  “They  have  the  benefit  of  being  an  addi¬ 
tional  communication  channel  to  get  in  touch  with  employees 
during  a  [business  disruption].  However,  they  can  be  a  headache 
for  crisis  communications  and  PR  as  they  try  to  control  potential 
damages  to  reputation  and  the  propagation  of  rumors.”  ■ 


Freelance  writer  Bob  Violino  is  a  frequent  contributor  to  CSO.  Send 
feedback  to  editor  Derek  Slater  at  dslater@cxo.com. 


May  2012  www.csoonline.com  29 


[  INDUSTRY  VIEW] 

Joe  Ferrara,  Wombat  Security  Technologies 


Ten  Commandments  for 
Effective  Security  Training 


Information  security  people  think 
that  simply  making  users  aware 
of  security  issues  will  make  them 
change  their  behavior.  But  security 
pros  are  learning  the  hard  way  that 
awareness  rarely  equals  change. 

One  fundamental  problem  is  that  most 
awareness  programs  are  created  and  run 
by  security  professionals,  people  who  were 
not  hired  or  trained  to  be  educators.  These 
training  sessions  often  consist  of  long  lec¬ 
tures  and  boring  slides— with  no  thought 
or  research  put  into  what  material  should 
be  taught  and  how  to  teach  it.  As  a  result, 
organizations  are  not  getting  their  desired 
results  and  there’s  no  overall  progress. 

To  solve  this  puzzle,  it’s  important  to 
step  back  and  understand  how  people  most 
effectively  learn  subject  matter  of  any  type. 
The  science  of  learning  dates  back  to  the 
early  1950s,  and  its  techniques  have  been 
proven  over  time  and  adopted  as  accepted 
learning  principles.  Applied  to  information 
security  training,  these  techniques  can  pro¬ 
vide  immediate,  tangible,  long-term  results 
in  educating  employees  and  improving 
your  company’s  overall  security  posture. 

1.  Serve  small  bites:  People  learn  bet¬ 
ter  when  they  can  focus  on  small  pieces  of 
information  that  the  mind  can  digest  eas¬ 
ily.  It’s  unreasonable  to  cover  55  different 
topics  in  15  minutes  of  security  training 
and  expect  someone  to  remember  it  all  and 
then  change  their  behavior.  Short  bursts  of 
training  are  always  more  effective. 

2.  Reinforce  lessons:  People  learn  by 
repeating  elements  over  time— without 
frequent  feedback  and  opportunities  for 
practice,  even  well-learned  abilities  go 
away.  Security  training  should  be  an  ongo¬ 
ing  event,  not  a  one-off  seminar. 

3.  Train  in  context:  People  tend  to 


remember  context  more  than  content.  In 
security  training,  it’s  important  to  present 
lessons  in  the  same  context  as  the  one  the 
person  is  most  likely  to  be  attacked  in. 

4.  Vary  the  message:  Concepts  are  best 
learned  when  they  are  encountered  in 
many  contexts  and  expressed  in  different 
ways.  Security  training  that  presents  a  con¬ 
cept  to  a  user  multiple  times  and  in  differ¬ 


ent  phrasing  makes  the  trainee  more  likely 
to  relate  it  to  past  experiences  and  forge 
new  connections. 

5.  Involve  your  students:  It’s  obvious 
that  when  we  are  actively  involved  in  the 
learning  process,  we  remember  things 
better.  If  a  trainee  can  practice  identify¬ 
ing  phishing  schemes  and  creating  good 
passwords,  improvement  can  be  dramatic. 
Sadly,  hands-on  learning  still  takes  a  back¬ 
seat  to  old-school  instructional  models, 
including  the  dreaded  lecture. 

6.  Give  immediate  feedback:  If  you’ve 
ever  played  sports,  it’s  easy  to  understand 
this  one.  “Calling  it  at  the  point  of  the  foul” 
creates  teachable  moments  and  greatly 
increases  their  impact.  If  a  user  falls  for  a 


company-generated  attack  and  gets  train¬ 
ing  on  the  spot,  it’s  highly  unlikely  they’ll 
fall  for  that  trick  again. 

7.  Tell  a  story:  When  people  are  intro¬ 
duced  to  characters  and  narrative  devel¬ 
opment,  they  often  form  subtle  emotional 
ties  to  the  material  that  helps  keep  them 
engaged.  Rather  than  listing  facts  and  data, 
use  storytelling  techniques. 

8.  Make  them  think:  People  need  an 
opportunity  to  evaluate  and  process  their 
performance  before  they  can  improve. 
Security  awareness  training  should  chal¬ 
lenge  people  to  examine  the  information 
presented,  question  its  validity,  and  draw 
their  own  conclusions. 

9.  Let  them  set  the  pace:  It  may  sound 
cliche,  but  everyone  really  does  learn  at 
their  own  pace.  A  one-size-fits-all  security 
training  program  is  doomed  to  fail  because 
it  does  not  allow  users  to  progress  at  the 
best  speed  for  them. 

10.  Offer  conceptual  and  procedural 
knowledge:  Conceptual  knowledge  pro¬ 
vides  the  big  picture  and  lets  a  person  apply 
techniques  to  solve  a  problem.  Procedural 
knowledge  focuses  on  the  specific  actions 
required  to  solve  the  problem.  Combin¬ 
ing  the  two  types  of  knowledge  greatly 
enhances  users’  understanding.  For  exam¬ 
ple,  a  user  may  need  a  procedural  lesson  to 
understand  that  an  IP  address  included  in 
a  URL  is  an  indication  that  they  are  seeing 
a  phishing  URL.  However,  they  also  need 
the  conceptual  understanding  of  all  the 
parts  of  a  URL  to  understand  the  difference 
between  an  IP  address  and  a  domain  name, 
otherwise  they  may  mistake  something  like 
www4.google.com  for  a  phishing  URL.  ■ 


Joe  Ferrara  is  president  and  CEO  of  Wombat 
Security  Technologies. 


30  www.csoonline.com  May  2012 


Access  control 
isn’t  one  size  fits 
all  either. 


**'■  «  i 


From  patented  key  systems  to  full-featured,  online  integrated  locksets,  ASSA  ABLOY  offers  access 
control  solutions  tailored  to  the  unique  locking  needs  of  each  opening.  With  the  industry's  largest 
range  of  products,  from  the  most  trusted  brands,  your  security  dollars  reach  farther  into  your  facility. 

Contact  your  ASSA  ABLOY  Integrated  Solutions  Specialist  for  a  consultation  on  your  next  project. 
Visitwww.intelligentopenings.com/SecurityContinuum. 


ASSA  ABLOY 


ADAMS  RITE  |  CORBIN  RUSSWIN  |  HES  |  MEDECO  |  NORTON  |  SARGENT  |  SECURITRON  |  YALE 


,■■■/"  j  ‘  Vv 

The  global  leader  in 
door  opening  solutions 


Download  OurApp 
Want  help  finding  the  right 
solution  for  any  opening ?  Scan 
this  Microsoft®  Tag  with  your 
iPad ®  or  visit  the  App  Store 
to  download  the  Security 
Continuum  App  for  iPad. 


\ 

» 

< 

•* 

>  ml 


Copyright  ©  201 2  ASSA  ABtOY  Inc.  All  rights  reserved.  IK 


[  debriefing] 


Age-Appropriate 
Child-Monitoring  Tools 
for  the  Concerned  Security  Pro 


CHILD'S 
AGE  TOOL 


■  Standard  1-way  baby  monitor 


-  Antivirus  and  parental  control 
software  on  home  computer 

■  Antivirus  and  parental  control 
software  on  iPod  Touch 

■  Spy  cam  in  plush  toy 

-  Automated  bank  account 
transaction  alerts 

■  Upstairs  bedroom  window 
and  basement  door 
exfiltration  sensors 

■  Smartphone  texting 
monitor  (with  real-time 
translation  into  English) 

All  of  the  above,  plus: 

■  Total  situational  awareness 
station  located  in  safe  room 

■  Ankle  bracelet  or  RFID 
geo-tracker  implant 

■  Roomie  Helper  service 
(Actual  19-year-old  certified 
investigator  matriculates 
undercover  as  your  child’s 
roommate.  Spring  Break 
requires  overtime  pay, 
plus  beer  money.) 

■  Xanax 


0-2 

years 


3-8 

years 


14-18 

years 


19-23 

years 


32  www.csoonline.com 


May  2012 


Illustration  by  Carl  Spackler 


) 


r 


TO  OPERATE 
TURN  A 
X  HANDLE  J 


ONCE? 


You  can't  stop  threats  if  you  can't  spot  them.  That's 
why  HP  Enterprise  Security  offers  proven  solutions 
that  deliver  context-aware  visibility  into  security 
risk.  There's  no  better  way  to  proactively  detect 
security  issues  and  drive  situational  awareness 
across  your  applications,  operations,  and 
infrastructure.  The  HP  Security  Intelligence  and 
Risk  Management  platform  provides  integrated 
correlation,  application  protection  and 
network  defenses  that  can  secure  modern 
IT  environments  from  sophisticated  threats. 


For  more  information  go  to 
www.hpenterprisesecurity.com 


Advanced  protection 
against  advanced  threats 


Copyright  ©2011  Hewlett-Packard  Development  Company,  LP. 


WHAT  IT  GOVERNANCE  AND  COMPLIANCE 

CAN  LEARN  FROM  AIR  TRAFFIC  CONTROL. 


Jtek  A  tale  about  being  visible,  proactive  and  secure  jSyi 


To  keep  the  skies  safe,  an  air  traffic  controller  directs, 
watches  and  predicts  traffic  issues  -  while  managing 
constant  change. 

Lesson  learned:  without  control,  the  sky  is  falling. 


Quest  solutions  deliver  visibility  into  your  environment, 
so  tracking  and  managing  change  -  while  maintaining 
IT  governance  and  compliance  -  is  a  snap.  Ready  to 
dismiss  governance  and  compliance  flights  of  fancy? 
Quest  can  help. 


Read  the  eBook  at  www.quest.com/ComplianceSolution 


SOFTWARE 

Simplicity  At  Work 


©  201 2  Quest  Software,  Inc.  ALL  RIGHTS  RESERVED  Quest,  Quest  Software  and  the  Quest  Software  logo  are  registered  trademarks  of  Quest  Softw.ire,  In*  in  the 
U.S.A.  and/or  other  countries.  All  other  trademarks  and  registered  trademarks  are  property  of  their  respective  owners  ADW  QuestOne^UAAAQ12012  f  W 


